Entra, formerly Azure Active Directory, ranks among the more common IDPs. It can appear complicated, but hopefully it feels a little bit easier with this guide.
1. Create an application in Entra
Entra needs to associate a SAML connection with an Application, so the first step will require you to create an application. From any page in Entra, you’ll find Applications > Enterprise Applications in the left navigation bar. Click here to navigate to the next page.
In the left sidebar, navigate to Applications > Enterprise Applications
You’ll reach a page that says Enterprise Applications in bold typeface. Press the New Application button right under this header.
Select 'New application'
On the next page, there’s a header: Browse Microsoft Entra Gallery. You’ll also see a few prominent cards with major cloud providers. Ignore all this; the SSO Setup configurations won’t use the gallery. Simply click Create your own application, which triggers a slideover from the right.
Select 'Create your own application'
Entra requires a display name for the application. You’ll want your product’s name to go here. Enter a name into "What's the name of your app?"
Note: As you type a display name for the application, Entra will try to find matching apps from the Entra Gallery and suggest them as alternatives. Just ignore this.
Assign a display name to the Entra application
Under the display name, Entra offers three radio button options. Select the last one, which reads Integrate any other application you don’t find in the gallery (Non-gallery).
Tell Entra to create a non-gallery application
Then hit Create in the lower left of the slideover, and you’re free to configure our Application.
Create the application
Entra may require a few seconds to create the Application. Once it has finished, you will land on a page detailing the application.
When you see this page, you have created your Entra Application
For now, skip assigning users to your Application, but an Entra admin will need to assign them before long.
Note: Users cannot sign in until assigned to your Application by an Entra admin.
2. Configure SAML Identifier (Entity ID)
Now it’s time to enter the details about the SSO Setup SAML Connection into the Entra Application.
Navigate to your application.
In the sidebar for the application, click "Single sign-on"
Click on "SAML"
4. Click on "Edit" icon to the right of "Basic SAML Configuration"
5. Click "Add Identifier". An input now appears under the "Identifier (Entity ID)" section.
3. Configure Reply URL (Assertion Consumer Service URL)
Next is the Reply URL (Assertion Consumer Service URL) field. The SSO Setup calls this the Assertion Consumer Service (ACS) URL. It should look just like the SP Entity ID field, only it ends with /acs.
Paste the URL from SSO Setup into Entra. Under the “Reply URL (Assertion Consumer Service URL)” section, click “Add reply URL”. Paste the URL there. Keep all the other settings to their default values and then save it.
4. Download Federation Metadata XML
Navigate to your application.
In the sidebar for your application, click “Single Sign-On”
3. Scroll down to the “SAML Certificates” section
4. Click on the “Download” link next to “Federation Metadata XML”
5. Your browser now downloads a file. Upload that file here:
You have now successfully imported your app’s Federation Metadata XML settings from Entra. The last remaining step is to assign users to your new application.
5. Assign Users to App
If you are familiar with Entra application user assignment, use the process you normally use.
Otherwise, the most straightforward process is to:
Click on “Users and groups” in the application sidebar
Click in “Add user/group”
Under “Users”, click on “None Selected”
Check the checkbox next to each of the users you want to assign to the application. If you intend to test the application yourself, remember to include yourself
Click “Select” at the bottom
Click “Assign”
Your application is now configured.
Once you have completed the steps in Entra and in the GovAI SSO setup page, you’ll see this message in the GovAI page: