How to configure SAML SSO with Azure

This guide walks you through configuring SAML-based Single Sign-On (SSO) with Azure AD (Microsoft Entra ID) as your Identity Provider (IdP) for your Capawesome Cloud organization. In this setup, Azure AD acts as the IdP and Capawesome Cloud acts as the Service Provider (SP).

Prerequisites

Before you begin, ensure you have:

• Administrator access to your organization's Microsoft Entra admin center
• Owner or Admin role in your Capawesome Cloud organization

Step 1: Create an Application in your Identity Provider

1. Sign in to the Microsoft Entra admin center.
2. Navigate to Identity > Applications > Enterprise applications in the left sidebar.
3. Click New application.
4. Click Create your own application.
5. Enter a name for the application (e.g., Capawesome Cloud).
6. Select Integrate any other application you don't find in the gallery (Non-gallery).
7. Click Create.

Step 2: Configure your Application

1. In your newly created application, navigate to Manage > Single sign-on.
2. Select SAML as the single sign-on method.

The Basic SAML Configuration dialog will appear.

1. Click Edit on the Basic SAML Configuration section.
2. Open a new browser tab, navigate to your organization's settings in the Capawesome Cloud Console, scroll to the Single Sign-On (SSO) section, and click Configure to view the required URLs.
3. In Capawesome Cloud, copy the SP Entity ID and paste it into the Identifier (Entity ID) field in Azure.
4. Copy the Callback URL from Capawesome Cloud and paste it into the Reply URL (Assertion Consumer Service URL) field in Azure.
5. Leave Sign on URL, Relay State and Logout URL empty.
6. Click Save.

Step 3: Configure Attributes and Claims

Azure AD sends user information to Capawesome Cloud through SAML attributes. The default configuration should work for most cases, but verify the following claims are present:

1. Click Edit on the Attributes & Claims section.
2. Ensure these claims are configured:

Claim	Value
Unique User Identifier (Name ID)	user.mail
emailaddress	user.mail
givenname	user.givenname
surname	user.surname
name	user.displayname

The Unique User Identifier (Name ID) must be set to user.mail to properly identify users by their email address.

Step 4: Download the Certificate and Get URLs

In your Azure AD application, locate the SAML Certificates section:

1. Download the Certificate (Base64) file. You will need this to complete the configuration in Capawesome Cloud.
2. Note the Login URL from the Set up section. This is your Identity Provider's SSO URL.

The Login URL typically follows this format:

https://login.microsoftonline.com/{tenant-id}/saml2

Step 5: Assign Users and Groups

User management for SSO is handled through Azure AD. Before users can authenticate via SSO, they must be assigned to the application:

1. Navigate to Manage > Users and groups in your Azure AD application.
2. Click Add user/group.
3. Select the users or groups who should have access to Capawesome Cloud.
4. Click Assign.

Only assigned users will be able to authenticate to Capawesome Cloud through this SSO configuration.

Step 6: Complete Configuration in Capawesome Cloud

1. Return to your organization's SSO settings in the Capawesome Cloud Console.
2. Enter the Microsoft Entra ID from Azure AD into the Issuer field.
3. Enter the Login URL from Azure AD into the Entry Point field.
4. Enter your domain (e.g., yourcompany.com) into the Domain field.
5. Open the downloaded certificate file in a text editor.
6. Copy the entire certificate content (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and paste it into the Public Certificate field.

The certificate should be in PEM format:

-----BEGIN CERTIFICATE-----
MIIDp...certificate content...
-----END CERTIFICATE-----

Step 7: Test the Configuration

1. In the Capawesome Cloud Console, click Save and Test to verify your SSO configuration.
2. You will be redirected to Microsoft's login page.
3. Authenticate with your Azure AD credentials.
4. Upon successful authentication, you will be redirected back to Capawesome Cloud.

A successful test confirms that the SAML configuration is working correctly.

Step 8: Enable SSO for Your Organization

After successfully testing the configuration:

1. Navigate to your organization's settings and scroll to the Single Sign-On (SSO) section.
2. Click the Enable button to activate SSO for your organization.

Once enabled, organization members will be required to authenticate through Azure AD to access organization resources.

Troubleshooting

AADSTS50011: Reply URL does not match

This error occurs when the Reply URL configured in Azure AD does not match the Assertion Consumer Service URL in Capawesome Cloud.

• Verify that the Reply URL in Azure AD exactly matches the URL shown in your Capawesome Cloud SSO settings.
• Check for trailing slashes or protocol mismatches (http vs https).

AADSTS700016: Application not found

This error indicates that the application identifier cannot be found in the Azure AD tenant.

• Verify that the Identifier (Entity ID) in Azure AD matches the Entity ID in Capawesome Cloud.
• Ensure the application is properly configured and saved.

Invalid Signature Error

This error occurs when the certificate validation fails.

• Ensure the certificate is in PEM format (Base64 encoded).
• Verify that the certificate has not expired.
• Check if the certificate has been rotated in Azure AD and update it in Capawesome Cloud if necessary.

User Not Assigned Error

If a user receives an error stating they are not assigned to the application:

• Verify that the user is assigned to the enterprise application in Azure AD.
• Check group memberships if using group-based assignment.

Missing or Incorrect User Attributes

If user information is not being correctly transferred:

• Verify the attribute mappings in the Attributes & Claims section in Azure AD.
• Ensure the user has the required attributes (email, name) populated in their Azure AD profile.