> ## Documentation Index
> Fetch the complete documentation index at: https://docs.macstadium.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable SAML SSO with Microsoft Entra ID

> Set up SAML SSO for the MacStadium Portal with Microsoft Entra ID (Azure AD): create the enterprise app, configure SAML, and share metadata.

## About

<Note>SAML SSO is a paid offering. Contact your account team through the [Customer Portal](https://portal.macstadium.com) for more information.</Note>

<Warning>MacStadium does not support IdP-initiated logins. After SSO is configured, all users must log in at [portal.macstadium.com/sso](https://portal.macstadium.com/sso) using the ID provided by the MacStadium team.</Warning>

<Tip>You can also log in directly at [portal.macstadium.com](https://portal.macstadium.com/login).</Tip>

## Overview

SAML SSO with Microsoft Entra ID allows customers to:

* Enable users to be automatically signed in to MacStadium using their Entra ID accounts.
* Manage accounts in one central location: Microsoft Entra ID.

## Getting Started

1. Open **Entra ID admin**.
2. Navigate to **Enterprise applications**.\\
   <img src="https://mintcdn.com/macstadiuminc/bll0b6tt9scf_iyB/images/attachments/28263129254811.png?fit=max&auto=format&n=bll0b6tt9scf_iyB&q=85&s=d3ebbe9da39848a89fa3d1f9fe8e15fb" alt="Azure Entra ID admin left sidebar with Enterprise applications option" width="2400" height="1600" data-path="images/attachments/28263129254811.png" />
3. Create a new application by clicking **New Application**.\\
   <img src="https://mintcdn.com/macstadiuminc/bll0b6tt9scf_iyB/images/attachments/28263097031963.png?fit=max&auto=format&n=bll0b6tt9scf_iyB&q=85&s=134cae42ef69f95f384c4459c70eb654" alt="Azure Enterprise applications list with New Application button" width="2400" height="1600" data-path="images/attachments/28263097031963.png" />
4. Create an application by clicking **Create your own application**.\\
   <img src="https://mintcdn.com/macstadiuminc/bll0b6tt9scf_iyB/images/attachments/28263097033755.png?fit=max&auto=format&n=bll0b6tt9scf_iyB&q=85&s=1ecaab601c38abe2ea81101b89ad171a" alt="Azure Browse gallery page with Create your own application button" width="2400" height="1600" data-path="images/attachments/28263097033755.png" />
   * Enter a name (for example **MacStadium-Portal**).
   * Select **Integrate any other application you don’t find in the gallery (Non-gallery).**\\
     <img src="https://mintcdn.com/macstadiuminc/bll0b6tt9scf_iyB/images/attachments/28263097036187.png?fit=max&auto=format&n=bll0b6tt9scf_iyB&q=85&s=a851c7e9d2c80948e1d88438c75e3ba3" alt="Azure Create your own application form with name field and non-gallery option selected" width="2372" height="1581" data-path="images/attachments/28263097036187.png" />
5. Click **Single sign-on**.\\
   <img src="https://mintcdn.com/macstadiuminc/bll0b6tt9scf_iyB/images/attachments/28263129264411.png?fit=max&auto=format&n=bll0b6tt9scf_iyB&q=85&s=3ad9a3812c90033f28a38ca592b48e03" alt="Azure enterprise app overview with Single sign-on option in sidebar" width="2372" height="1581" data-path="images/attachments/28263129264411.png" />
6. Select **SAML**.\\
   <img src="https://mintcdn.com/macstadiuminc/bll0b6tt9scf_iyB/images/attachments/28263129266459.png?fit=max&auto=format&n=bll0b6tt9scf_iyB&q=85&s=ca1a20e32bbaf93961abe8b65e78bfcf" alt="Azure Single sign-on method selection with SAML option highlighted" width="2372" height="1581" data-path="images/attachments/28263129266459.png" />
7. Click **Edit** on the *Basic SAML settings.*\\
   <img src="https://mintcdn.com/macstadiuminc/bll0b6tt9scf_iyB/images/attachments/28263129267739.png?fit=max&auto=format&n=bll0b6tt9scf_iyB&q=85&s=ea366980e53c80d72573f3bd88f2efd4" alt="Azure SAML-based Sign-on page showing Basic SAML Configuration section with Edit button" width="2372" height="1581" data-path="images/attachments/28263129267739.png" />
8. Configure the SAML settings:
   * **Identifier (Entity ID):** `urn:amazon:cognito:sp:us-east-1_pusi8jHs1`
   * **Reply URL (Assertion Consumer Service URL):** `https://idp.macstadium.com/saml2/idpresponse`
   * **Logout URL (Optional):** `https://idp.macstadium.com/saml2/logout`
   * Click **Save**
     <img src="https://mintcdn.com/macstadiuminc/bll0b6tt9scf_iyB/images/attachments/28263129269275.png?fit=max&auto=format&n=bll0b6tt9scf_iyB&q=85&s=4fa1657421ac732a02cde70f8d12dfd6" alt="Azure Basic SAML Configuration with Entity ID, Reply URL, and Logout URL fields completed" width="2372" height="1992" data-path="images/attachments/28263129269275.png" />
9. Edit **Attributes & Claims** for your SAML app. <Warning>The email field must be mapped to `user.mail` or login will fail.</Warning>\\
   <img src="https://mintcdn.com/macstadiuminc/dU1lCoT-Tf9PRIOx/images/attachments/37939325807643.png?fit=max&auto=format&n=dU1lCoT-Tf9PRIOx&q=85&s=c6dfd7547e692d43e2bb8b1864cb5c05" alt="Azure Attributes and Claims configuration with email mapped to user.mail" width="2834" height="2086" data-path="images/attachments/37939325807643.png" />

Once configured properly, section 2 of your SAML app should look like the below screenshot.\\

<img src="https://mintcdn.com/macstadiuminc/dU1lCoT-Tf9PRIOx/images/attachments/37939280894619.png?fit=max&auto=format&n=dU1lCoT-Tf9PRIOx&q=85&s=3c9c20722b258f7e216cca7b563c35fc" alt="Azure SAML app section 2 showing correctly configured Attributes and Claims" width="2948" height="1428" data-path="images/attachments/37939280894619.png" />

10. Once the attributes & claims are updated, please provide our support team with the app federation metadata URL. You can copy the federation metadata URL in section 3 of your SAML app, as shown in the below screenshot.\\
    <img src="https://mintcdn.com/macstadiuminc/dU1lCoT-Tf9PRIOx/images/attachments/37939325810971.png?fit=max&auto=format&n=dU1lCoT-Tf9PRIOx&q=85&s=2207a59ae339fbebab18016f2064ecf8" alt="Azure SAML app section 3 showing App Federation Metadata URL to copy" width="1606" height="756" data-path="images/attachments/37939325810971.png" />