Here is a step-by-step guide on how to setup Sana as a SAML 2.0 application in Microsoft Entra.
SSO Configuration with Microsoft Entra
To configure SSO, you need one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal (read more here).
Starting from Entra's 'Default Directory | Overview', add a new Enterprise application.
To do this you can either:Click on the '+ Add' button in the main Overview window
or from the left navigation menu, select Manage > Enterprise applications, then click on the '+ New application' button
This will take you to the Microsoft Entra Gallery. From here, click the '+ Create your own application' button.
Give your app a name, and select "Integrate any other application you don't find in the gallery (Non-gallery)". Then click the Create button.
After creating your application, you will be taken to your app's Overview page.
To set up Single sign-on, you can either:click on 'Set up single sign on' in the main window,
or from the left navigation menu, select Manage > Single Sign-on
On the Select a single sign-on method page, select SAML
In the 'Basic SAML Configuration' step, click 'Edit', then enter the following info and hit 'Save'.
⚠️IMPORTANT: Replace DOMAIN with your actual domain at Sana
Identifier (Entity ID): https://DOMAIN.sana.ai/x-realtime/auth/saml/metadata
Reply URL (Assertion Consumer Service URL): https://DOMAIN.sana.ai/x-realtime/auth/saml/acs
In the Attributes & Claims step, make sure that "email", "firstName" and "lastName" are configured as attributes.
⚠️ Ensure that the format follows the same below, otherwise the accounts will not be created through the SAML request.
⚠️ Ensure that the namespace for each attribute is blank.
If, by default, the items in 'Attributes & Claims' do not match what is on the screenshot above, see the section on Updating Attributes & Claims
Back in the 'Set up single sign-on with SAML' page, in the 'SAML Signing Certificate' section, select Download to download the Certificate (Base64) from the specified options. You will need to provide this in a later step.
On the 'Set up' step, copy the values from Login URL & Microsoft Entra Identifier fields. You will need these at the next step
Provide your Sana Integrations Specialist / Engagement Manager with all the information here:
Login URL
Microsoft Entra Identifier
Certificate (Base64)
We will then set your Sana app with this configuration. Once this is done, you can test the setup using the Test single sign-on through your Identity Provider:
Updating Attributes & Claims
Updating Attributes & Claims
Under 'Attributes & Claims', click 'Edit' and modify them as follows:
under 'Additional claims', select one of the rows under 'Claim name'
replace the values in 'Name' with "email", "firstName" and "lastName"
and match them with the correct 'Source attribute' as follows:Name: "email" with Source attribute: user.mail
Name: "firstName" with Source attribute: user.givenname
Name: "lastName" with Source attribute: user.surname
for each, ensure that there is nothing entered in 'Namespace'
Attributes & Claims should now look as follows:
Troubleshooting Common Issues
1. No attribute value for email, firstName, or lastName
This means that the SSO configuration is not correctly setup. It's either the attribute is not in the same format (email could be Email) or there is a namespace in the attribute. Kindly double-check Step 4 above.
Our standard format for attributes are:
email
firstName
lastName
2. User is not assigned to the application
This means that your company's IT team has not added you to your company's Microsoft Entra Sana application. To resolve this, you'll just need to ask your company's IT team to add you to the Sana application in Microsoft Entra.