Skip to main content

Setting up SSO with Microsoft Entra

Step-by-step guide on how to setup SSO in your Microsoft Entra IdP.

Max Agha avatar
Written by Max Agha
Updated over 2 weeks ago

Here is a step-by-step guide on how to setup Sana as a SAML 2.0 application in Microsoft Entra.

SSO Configuration with Microsoft Entra

To configure SSO, you need one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal (read more here).

  1. Starting from Entra's 'Default Directory | Overview', add a new Enterprise application.

    To do this you can either:

    1. Click on the '+ Add' button in the main Overview window

    2. or from the left navigation menu, select Manage > Enterprise applications, then click on the '+ New application' button

  2. This will take you to the Microsoft Entra Gallery. From here, click the '+ Create your own application' button.


    Give your app a name, and select "Integrate any other application you don't find in the gallery (Non-gallery)". Then click the Create button.

  3. After creating your application, you will be taken to your app's Overview page.

    To set up Single sign-on, you can either:

    1. click on 'Set up single sign on' in the main window,

    2. or from the left navigation menu, select Manage > Single Sign-on

  4. On the Select a single sign-on method page, select SAML

  5. In the 'Basic SAML Configuration' step, click 'Edit', then enter the following info and hit 'Save'.

    ⚠️IMPORTANT: Replace DOMAIN with your actual domain at Sana

  6. In the Attributes & Claims step, make sure that "email", "firstName" and "lastName" are configured as attributes.

    ⚠️ Ensure that the format follows the same below, otherwise the accounts will not be created through the SAML request.

    ⚠️ Ensure that the namespace for each attribute is blank.

    If, by default, the items in 'Attributes & Claims' do not match what is on the screenshot above, see the section on Updating Attributes & Claims

  7. Back in the 'Set up single sign-on with SAML' page, in the 'SAML Signing Certificate' section, select Download to download the Certificate (Base64) from the specified options. You will need to provide this in a later step.

  8. On the 'Set up' step, copy the values from Login URL & Microsoft Entra Identifier fields. You will need these at the next step

  9. Provide your Sana Integrations Specialist / Engagement Manager with all the information here:

    • Login URL

    • Microsoft Entra Identifier

    • Certificate (Base64)

  10. We will then set your Sana app with this configuration. Once this is done, you can test the setup using the Test single sign-on through your Identity Provider:

Updating Attributes & Claims


Under 'Attributes & Claims', click 'Edit' and modify them as follows:

  1. under 'Additional claims', select one of the rows under 'Claim name'

  2. replace the values in 'Name' with "email", "firstName" and "lastName"
    and match them with the correct 'Source attribute' as follows:

    • Name: "email" with Source attribute: user.mail

    • Name: "firstName" with Source attribute: user.givenname

    • Name: "lastName" with Source attribute: user.surname

  3. for each, ensure that there is nothing entered in 'Namespace'

  4. Attributes & Claims should now look as follows:



Troubleshooting Common Issues

1. No attribute value for email, firstName, or lastName

This means that the SSO configuration is not correctly setup. It's either the attribute is not in the same format (email could be Email) or there is a namespace in the attribute. Kindly double-check Step 4 above.

Our standard format for attributes are:

  • email

  • firstName

  • lastName

2. User is not assigned to the application

This means that your company's IT team has not added you to your company's Microsoft Entra Sana application. To resolve this, you'll just need to ask your company's IT team to add you to the Sana application in Microsoft Entra.

Did this answer your question?