- Print
- DarkLight
- PDF
Configuring SAML SSO with Microsoft Entra ID
Overview
This article describes the single sign-on (SSO) integration process between the Syniti Knowledge Platform (SKP) and Microsoft Entra ID (formerly Azure Active Directory). When you integrate the SKP with Microsoft Entra ID, you can manage and control your organization’s user account and their access to the SKP in Microsoft Entra ID.
Prerequisites
You must be an SKP Administrator for a tenant that uses the SKP-initiated sign-on page to configure the SAML settings in the SKP.
Note
This SKP Administrator account must be the initial administrator account that uses a trusted domain sent to you during the provisioning process by Syniti’s Customer Success team.
If you require additional domains to get added and activated in your tenant for using the SKP-initiated sign-on page, you must submit a request to Syniti Support.
Your organization’s active directory and a Microsoft Entra ID subscription.
A Cloud Application or Application Administrator account in your organization’s active directory.
Add a New Application for the SKP
Sign in to portal.azure.com as an Application or Cloud Application Administrator.
Browse or access Microsoft Entra ID and access your organization’s active directory.
Click Manage > Enterprise Applications > New Application.
On the Browse Microsoft Entra Gallery page, enter Entra SAML Toolkit in the search box and select Microsoft Entra SAML Toolkit from the results panel.
Enter a unique name for the new SKP application and click Create. Wait a few seconds while the new application is added to your tenant in the active directory.
Configure Microsoft Entra ID with the SKP
In Microsoft Entra ID, access your SKP application and select Single sign-on either on the left-side panel or in the Getting Started section.
Select SAML as your single sign-on method.
On the Set up Single Sign-On with SAML page, click Edit in the Basic SAML Configuration section.
Enter the Entity ID, Assertion Consumer Service URL, and Sign on URL details in their corresponding fields as per your tenant region as displayed in the below screenshot.
Note
The Sign on URL field is not required as you’ll be performing your organization’s Microsoft Entra ID initiated single sign-on. Enter a dummy URL in this field.
SKP Tenant Region
Entity ID
Assertion Consumer Service URL
Americas
syniti.com
https://api.syniti.com/oauth/signin/callback
Australia
syniti.au
https://api.syniti.au/oauth/signin/callback
EMEA
syniti.eu
https://api.syniti.eu/oauth/signin/callback
Canada
syniti.ca
https://api.syniti.ca/oauth/signin/callback
Click Save and access the SAML Certificates section.
Copy your Microsoft Entra ID’s metadata URL as displayed in the below screenshot. This metadata URL is required to configure SSO in the SKP.
Log into the SKP using the Syniti provisioned administrator account to access and log in using the SKP-initiated sign-on page.
SKP-initiated sign-on page
Click Admin > Single Sign-On > Configure SSO.
Select SAML to configure the SAML 2.0 SSO protocol in the SKP.
In the SSO Configuration Name field, enter a unique name for your organization.
In the Metadata URL field, enter the copied metadata URL from your organization’s Microsoft Entra ID.
In the User Metadata Attributes section, enter the URLs for the Name, Email, and Identifier attributes (an example of these URLs is given in the below table). These attributes can be extracted from the metadata URL that you have copied.
Field Name in the SKP
SAML Attribute URL in the Metadata
Description
Name
http://schemas.microsoft.com/identity/claims/displayname
Display name of the user.
Email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Email address of the user.
Identifier
http://schemas.microsoft.com/identity/claims/objectidentifier
Primary identifier for the user in the directory. Immutable and globally unique.
Select Save to save your configuration in the SKP. Saving the SSO details does not activate the SSO configuration.
Turn on the Active toggle button to activate the SSO configuration for your tenant.
Your SSO configuration is now complete, and the SKP is integrated with your organization’s Microsoft Entra ID.
Verify Your SSO Configuration
Create a Test User
You'll create a temporary test user called Test User.
Access your organization’s Microsoft Entra ID admin center with a user administration role.
Click Manage > Users.
Select New User > Create new user, and follow these steps:
In the Display Name field, enter Test User.
In the User Principal Name field, enter the username@companydomain.extension. For example, TestUser@example.com.
Select the Show Password check box, and then note down the value that's displayed in the Password box.
Select Review + create.
Select Create.
Assign the Test User
You’ll assign the Test User to the newly created SKP application in Microsoft Entra ID.
Access your organization’s Microsoft Entra ID admin center as an Application or Cloud Application Administrator.
Click Manage > Enterprise Applications and select the newly created SKP application.
On the application's overview page, select Users and Groups > Add User/Group.
In the Add Assignment dialog box, follow these steps:
Select Users.
In the Users dialog box, select Test User from the Users list, and then click Select.
If you are expecting a role to be assigned to the users, you can select it from the Select a Role list. If no role has been set up for this application, you’ll see the Default Access role.
In the Add Assignment dialog box, click the Assign button.
Test the SSO Configuration
You don’t need to create a user account for the Test User in the SKP, as your organization’s Microsoft Entra ID controls and manages the access required for your users in the SKP. The SKP validates the email address used for signing in to its database and lets you sign in to the SKP. If the entered email address is a new one, then a new user with the default viewer role is created in the SKP.
Open an incognito or private window in your browser.
Log into the SKP using the email address of the Test User and click Next.
The Login page redirects you to your Microsoft Entra ID initiated login page.
Enter the credentials of the Test User and sign in.
The Test User with the Default Viewer role is successfully logged into the SKP using the credentials from your organization’s Microsoft Entra ID.
Refer to the Troubleshoot Your SAML SSO Configuration section for more information on troubleshooting issues while performing the SAML SSO configuration.
Next Steps: Invite Existing Users or Add New Users
Now that you have configured and verified your SAML SSO configuration, you can proceed with inviting or adding the required users with appropriate roles in your organization’s Microsoft Entra ID.
Refer to the Assign the Test User section for more information on inviting or adding the required users to the newly created application for the SKP.