Microsoft Entra ID SAML IDP

Microsoft Entra ID SAML IDP - Overview

In ZITADEL, you can connect an Identity Provider (IdP) like Entra ID (formerly Azure Active Directory) to your instance and provide it as the default to all organizations. You can also register the IDP for a specific organization only. If you allow this, your organization's members can do the same in self-service.

Microsoft Entra ID SAML Configuration

1. Login to your Azure portal.

2. Browse to the Enterprise applications menu.

3. Search for ‘SAML Toolkit’ and click on the “Microsoft Entra SAML Toolkit' card.

4. Change the name if you want, and click Create.

Open

5. Navigate to Manage > Properties

6. Set ‘Assignment required?’ to No

7. Tap Save

Open

Setup SAML

8. Navigate to Manage > Single Sign-On

9. Select SAML

10. You will be redirected to the Single Sign-On details page

11. Copy the URL of SAML Certificates > App Federation Metadate URL to your clipboard

Zitadel Configuration

1. Login to Zitadel https://authprod.myyconnectsecure.com

2. Tap on the Logo in top left corner, then tap to the Settings bar

3. Tap on the Identity Providers option and choose SAML SP

Create New SAML Service Provider (SP)

4. Set a name like ‘Microsoft Entra’

5. Paste the previously copied URL into the "Metadata URL" field. After creation, the metadata will automatically be fetched from the provided URL.

6. Select the "SAML_POST_BINDING" as binding

7. Ensure that the "Signed Request"-box is ticked

8. Change the options if needed. Microsoft Entra works out of the box using the pre-configured options.

9. Click Create

Basic SAML Configuration

1. After you create the SAML SP in ZITADEL, you can copy the URLs you need to configure in your Entra ID application.

2. Go to Microsoft Entra > Manage > Single sign-on

3. Edit the "Basic SAML Configuration"

4. Identifier (Entity ID): Paste the ZITADEL Metadata URL.

5. Reply URL (Assertion Consumer Service URL): Paste the ZITADEL ACS Login Form URL

6. Sign-on URL: Paste the ZITADEL ACS Login Form URL

7. Logout URL: Optionally paste the ZITADEL Single Logout URL Click Save

Enable the Microsoft Entra Button in the ZITADELs Login Page

1. Go back to ZITADEL and activate the IDP.

2. Activate IdP Once you have created the provider, it is listed in the provider's overview.

3. Activate it by selecting the tick with the tooltip set as available. If you deactivate a provider, your users with links to it will not be able to authenticate anymore. You can reactivate it and the logins will work again. The provider can also be activated via API. As the identity providers are sub-resources of the login settings, this is done by linking the provider to the settings:

Ensure your Login Policy allows External IDPs

4. Go to the Settings

   1. To allow external IdP logins by default, go to your instance default settings at $YOUR-DOMAIN/ui/console/instance?id=general

   2. To allow external IdP logins on an organization, go to $YOUR-DOMAIN/ui/ console/org-settings?id=login and ensure you have the right org context.

5. Modify your login policy in the menu "Login Behavior and Security"

6. Enable the attribute "External Login allowed"

Test Your Setup

1. Open https://portal.myconnectsecure.com/.

2. Enter your domain name > Choose the external IDP option to log in.

3. Now, click “Log in with an external user” on the next page.

4. Enter Microsoft Entra ID credentials.

5. After login, if the user exists then click on link; if the user does not exist, click on Register.

6. Once user data is added, click on Next, and If an existing user, Enter the User’s email and password and click on Next.

This completes the login for the SAML SP for Microsoft Entra ID.

Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login