--- description: Step-by-step guide to set up SAML Single Sign-On with Microsoft Entra ID for Capawesome Cloud. Integrate Azure AD with your mobile organization. title: Configure SAML SSO with Azure AD (Microsoft Entra ID) - Capawesome image: https://capawesome.io/docs/assets/images/social/cloud/organizations/sso/azure-saml.png --- [ Skip to content](#how-to-configure-saml-sso-with-azure) [ 🎉 Introducing **Capawesome Platform** — one platform for Live Updates, Native Builds, App Store Publishing, and Insider SDKs.](https://capawesome.io) * [ Formbricks ](/docs/plugins/formbricks/) * [ Geocoder ](/docs/plugins/geocoder/) * [ Google Sign-In ](/docs/plugins/google-sign-in/) * [ libSQL ](/docs/plugins/libsql/) * [ Live Update ](/docs/plugins/live-update/) * [ Managed Configurations ](/docs/plugins/managed-configurations/) * [ Media Session ](/docs/plugins/media-session/) * [ ML Kit ](/docs/plugins/mlkit/) * [ NFC ](/docs/plugins/nfc/) * [ OAuth ](/docs/plugins/oauth/) * [ Pedometer ](/docs/plugins/pedometer/) * [ Photo Editor ](/docs/plugins/photo-editor/) * [ PostHog ](/docs/plugins/posthog/) * [ Printer ](/docs/plugins/printer/) * [ Purchases ](/docs/plugins/purchases/) * [ RealtimeKit ](/docs/plugins/realtimekit/) * [ Screen Orientation ](/docs/plugins/screen-orientation/) * [ Screenshot ](/docs/plugins/screenshot/) * [ Secure Preferences ](/docs/plugins/secure-preferences/) * [ Speech Recognition ](/docs/plugins/speech-recognition/) * [ Speech Synthesis ](/docs/plugins/speech-synthesis/) * [ Share Target ](/docs/plugins/share-target/) * [ Square Mobile Payments ](/docs/plugins/square-mobile-payments/) * [ SQLite ](/docs/plugins/sqlite/) * [ Superwall ](/docs/plugins/superwall/) * [ Torch ](/docs/plugins/torch/) * [ Wifi ](/docs/plugins/wifi/) * [ Zip ](/docs/plugins/zip/) * [ Cloud ](/docs/cloud/) * [ Live Updates ](/docs/cloud/live-updates/) * Advanced * Integrations * [ Native Builds ](/docs/cloud/native-builds/) * [ Configuration ](/docs/cloud/native-builds/configuration/) * [ Environments ](/docs/cloud/native-builds/environments/) * Guides * [ Sample Projects ](/docs/cloud/native-builds/sample-projects/) * [ Troubleshooting ](/docs/cloud/native-builds/troubleshooting/) * [ Automations ](/docs/cloud/automations/) * [ Assist ](/docs/cloud/assist/) * Account * Organizations * [ Organization and User Management ](/docs/cloud/organizations/memberships/) * [ Single Sign-On (SSO) ](/docs/cloud/organizations/sso/) * [ Teams ](/docs/cloud/organizations/teams/) * [ Two-Factor Authentication ](/docs/cloud/organizations/two-factor-authentication/) * [ Integrations ](/docs/cloud/integrations/) * [ License Keys ](/docs/cloud/license-keys/) * [ Webhooks ](/docs/cloud/webhooks/) * [ Pricing ](https://capawesome.io/pricing/) * [ FAQ ](/docs/cloud/faq/) * [ Support ](/docs/cloud/support/) * [ Contributing ](/docs/contributing/) * [ LLMs ](/docs/llms/) * [ Insiders ](/docs/insiders/) * [ License ](https://capawesome.io/legal/eula/) * [ Support ](/docs/insiders/support/) * [ FAQ ](/docs/insiders/faq/) * [ Blog ](/blog/) * Categories # How to configure SAML SSO with Azure[¶](#how-to-configure-saml-sso-with-azure "Permanent link") This guide walks you through configuring SAML-based Single Sign-On (SSO) with Azure AD (Microsoft Entra ID) as your Identity Provider (IdP) for your Capawesome Cloud organization. In this setup, Azure AD acts as the IdP and Capawesome Cloud acts as the Service Provider (SP). ## Prerequisites[¶](#prerequisites "Permanent link") Before you begin, ensure you have: * Administrator access to your organization's [Microsoft Entra admin center](https://entra.microsoft.com) * Owner or Admin role in your Capawesome Cloud organization ## Step 1: Create an Application in your Identity Provider[¶](#step-1-create-an-application-in-your-identity-provider "Permanent link") 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). 2. Navigate to **Entra ID** \> **Enterprise apps** \> **All applications**. 3. Click **New application**. 4. Click **Create your own application**. 5. Enter a name for the application (e.g., `Capawesome Cloud`). 6. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. 7. Click **Create**. ## Step 2: Configure your Application[¶](#step-2-configure-your-application "Permanent link") 1. In your newly created application, navigate to **Manage** \> **Single sign-on**. 2. Select **SAML** as the single sign-on method. The **Basic SAML Configuration** dialog will appear. 1. Click **Edit** on the **Basic SAML Configuration** section. 2. Open a new browser tab, navigate to your [organization's settings](https://console.cloud.capawesome.io/organizations/%5F/settings) in the Capawesome Cloud Console, scroll to the **Single Sign-On (SSO)** section, and click **Configure** to view the required URLs. 3. In Capawesome Cloud, copy the **SP Entity ID** and paste it into the **Identifier (Entity ID)** field in Azure. 4. Copy the **Callback URL** from Capawesome Cloud and paste it into the **Reply URL (Assertion Consumer Service URL)** field in Azure. 5. Leave **Sign on URL**, **Relay State** and **Logout URL** empty. 6. Click **Save**. ## Step 3: Configure Attributes and Claims[¶](#step-3-configure-attributes-and-claims "Permanent link") Azure AD sends user information to Capawesome Cloud through SAML attributes. The default configuration should work for most cases, but verify the following claims are present: 1. Click **Edit** on the **Attributes & Claims** section. 2. Ensure these claims are configured: | Claim | Value | | -------------------------------- | ---------------- | | Unique User Identifier (Name ID) | user.mail | | emailaddress | user.mail | | givenname | user.givenname | | surname | user.surname | | name | user.displayname | The **Unique User Identifier (Name ID)** must be set to `user.mail` to properly identify users by their email address. ## Step 4: Complete Configuration in Capawesome Cloud[¶](#step-4-complete-configuration-in-capawesome-cloud "Permanent link") 1. Return to your [organization's SSO settings](https://console.cloud.capawesome.io/organizations/%5F/settings) in the Capawesome Cloud Console. 2. Enter the **Microsoft Entra Identifier** from Azure AD into the **Issuer** field. 3. Enter the **Login URL** from Azure AD into the **Entry Point** field. 4. Download the **Certificate (Base64)** file from Azure AD, open it in a text editor, and enter the entire certificate content (including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines) into the **Public Certificate** field. 5. Enter your domain (e.g., `yourcompany.com`) into the **Domain** field. 6. Click **Configure** to save the SSO configuration. The certificate should be in PEM format: `[](#%5F%5Fcodelineno-0-1)-----BEGIN CERTIFICATE----- [](#%5F%5Fcodelineno-0-2)MIIDp...certificate content... [](#%5F%5Fcodelineno-0-3)-----END CERTIFICATE----- ` ## Step 5: Verify Domain Ownership[¶](#step-5-verify-domain-ownership "Permanent link") After configuring SSO, you must verify ownership of your domain before members can sign in via SSO. 1. After submitting the configuration, click **Verify domain** in the success notification or in the SSO settings section. 2. Add the displayed **TXT** record to your domain's DNS configuration. Most DNS providers auto-append your domain to the host field, so you only need to enter the subdomain identifier shown in the **Host** field. 3. Wait for DNS propagation (this can take up to 48 hours, but is typically much faster). You can check propagation status using `dig TXT .`. 4. Click **Verify** to confirm domain ownership. Once verified, organization members can authenticate through Azure AD to access organization resources. ## Troubleshooting[¶](#troubleshooting "Permanent link") ### AADSTS50011: Reply URL does not match[¶](#aadsts50011-reply-url-does-not-match "Permanent link") This error occurs when the Reply URL configured in Azure AD does not match the Assertion Consumer Service URL in Capawesome Cloud. * Verify that the Reply URL in Azure AD exactly matches the URL shown in your Capawesome Cloud SSO settings. * Check for trailing slashes or protocol mismatches (http vs https). ### AADSTS700016: Application not found[¶](#aadsts700016-application-not-found "Permanent link") This error indicates that the application identifier cannot be found in the Azure AD tenant. * Verify that the Identifier (Entity ID) in Azure AD matches the Entity ID in Capawesome Cloud. * Ensure the application is properly configured and saved. ### Invalid Signature Error[¶](#invalid-signature-error "Permanent link") This error occurs when the certificate validation fails. * Ensure the certificate is in PEM format (Base64 encoded). * Verify that the certificate has not expired. * Check if the certificate has been rotated in Azure AD and update it in Capawesome Cloud if necessary. ### User Not Assigned Error[¶](#user-not-assigned-error "Permanent link") If a user receives an error stating they are not assigned to the application: * Verify that the user is assigned to the enterprise application in Azure AD. * Check group memberships if using group-based assignment. ### Missing or Incorrect User Attributes[¶](#missing-or-incorrect-user-attributes "Permanent link") If user information is not being correctly transferred: * Verify the attribute mappings in the **Attributes & Claims** section in Azure AD. * Ensure the user has the required attributes (email, name) populated in their Azure AD profile. May 1, 2026 Back to top