This document covers configuring the Microsoft Entra ID SAML Identity Provider with Zitadel for use with your ConnectSecure login.
Microsoft Entra ID SAML IDP - Overview
You need to have access to an Entra ID Tenant.
If you do not yet have one, follow this guide from Microsoft to create one for free.
In ZITADEL, you can connect an Identity Provider (IdP) like Entra ID (formerly Azure Active Directory) to your instance and provide it as the default to all organizations. You can also register the IDP for a specific organization only. If you allow this, your organization's members can do the same in self-service.
Microsoft Entra ID SAML Configuration
Login to your Azure portal.
Browse to the Enterprise applications menu.
Search for ‘SAML Toolkit’ and click on the “Microsoft Entra SAML Toolkit' card.
Change the name if you want, and click Create.
Disable required assignment
To enable users to sign in via Zitadel, we need to manually disable the required assignment feature.
Navigate to Manage > Properties
Set ‘Assignment required?’ to No
Tap Save
Setup SAML
Navigate to Manage > Single Sign-On
Select SAML
You will be redirected to the Single Sign-On details page
Copy the URL of SAML Certificates > App Federation Metadate URL to your clipboard
Zitadel Configuration
Login to Zitadel https://authprod.myyconnectsecure.com
Tap on the Logo in top left corner, then tap to the Settings bar
Tap on the Identity Providers option and choose SAML SP
Create New SAML Service Provider (SP)
Set a name like ‘Microsoft Entra’
Paste the previously copied URL into the "Metadata URL" field. After creation, the metadata will automatically be fetched from the provided URL.
Select the "SAML_POST_BINDING" as binding
Ensure that the "Signed Request"-box is ticked
Change the options if needed. Microsoft Entra works out of the box using the pre-configured options.
Click Create
Automatic creation: If this setting is enabled, the user will be created automatically within ZITADEL if it doesn't exist.
Automatic update: If this setting is enabled, the user will be updated within ZITADEL if some user data is changed within the provider. E.g if the lastname changes on the Microsoft account, the information will be changed on the ZITADEL account on the next login.
Account creation allowed: This setting determines if account creation within ZITADEL is allowed or not.
Account linking allowed: This setting determines whether account linking is allowed. When logging in with a Microsoft account, a linkable ZITADEL account must already exist.
Either account creation or account linking has to be enabled. Otherwise, the provider can't be used.
Basic SAML Configuration
After you create the SAML SP in ZITADEL, you can copy the URLs you need to configure in your Entra ID application.
Go to Microsoft Entra > Manage > Single sign-on
Edit the "Basic SAML Configuration"
Identifier (Entity ID): Paste the ZITADEL Metadata URL.
Reply URL (Assertion Consumer Service URL): Paste the ZITADEL ACS Login Form URL
Sign-on URL: Paste the ZITADEL ACS Login Form URL
Logout URL: Optionally paste the ZITADEL Single Logout URL Click Save
You can ignore the Zitadel ACS Intent API URL for now. This is relevant if you want to programmatically sign users in at ZITADEL via a SAML Service Provider.
Enable the Microsoft Entra Button in the ZITADELs Login Page
Go back to ZITADEL and activate the IDP.
Activate IdP Once you have created the provider, it is listed in the provider's overview.
Activate it by selecting the tick with the tooltip set as available. If you deactivate a provider, your users with links to it will not be able to authenticate anymore. You can reactivate it and the logins will work again. The provider can also be activated via API. As the identity providers are sub-resources of the login settings, this is done by linking the provider to the settings:
Ensure your Login Policy allows External IDPs
Go to the Settings
To allow external IdP logins by default, go to your instance default settings at $YOUR-DOMAIN/ui/console/instance?id=general
To allow external IdP logins on an organization, go to $YOUR-DOMAIN/ui/ console/org-settings?id=login and ensure you have the right org context.
Modify your login policy in the menu "Login Behavior and Security"
Enable the attribute "External Login allowed"
Test Your Setup
Enter your domain name > Choose the external IDP option to log in.
Now, click “Log in with an external user” on the next page.
Enter Microsoft Entra ID credentials.
After login, if the user exists then click on link; if the user does not exist, click on Register.
Once user data is added, click on Next, and If an existing user, Enter the User’s email and password and click on Next.
This completes the login for the SAML SP for Microsoft Entra ID.
Need Support?
Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.
https://cybercns.freshdesk.com/en/support/login