Azure AD SSO
  • 1 Minute to read
  • PDF

Azure AD SSO

  • PDF

Article summary

About this document

This document describes the step-by-step procedure to configure Single Sign-On (SSO) for SAFE via Azure AD.


Single Sign-On (SSO) enables organizations to use the SAML 2.0 authentication provider for authenticating login into SAFE. SAFE Admin can onboard and manage users right from their Azure AD SSO platforms, eliminating the need to maintain a separate user authentication mechanism for SAFE.

Configure SSO on Azure AD

To configure:

  1. Go to your Microsoft Azure AD Account.
  2. Create an ‘Enterprise Application’ in Azure Active Directory as follows:
    1. Click the "Enterprise Application" from the left menu. The system opens the Enterprise Application page.
    2. Click the "New application" button.
    3. Click the "Create your own application" button.
    4. Assign a name for your application. Your application will be created.
      Make sure that your Enterprise Application is not restricted by any access policies, as it will cause the SSO to fail.
    5. Select the created application from the list.
  3. Add Users/Groups to your app in Azure AD as follows:
    1. Click the "Assign Users and Groups" button
    2. Click the Add user/group button.
    3. Search and select the users.

    4. Once all the users are selected, click the Assign button.

  4. Now, set up the Single Sign-On (SSO) as follows:
    1. Click the "Set up single sign-on" button.

    2. Select the SAML as a Single Sign-on method. The system opens a SAML configuration page. On this page:
      1. Enter the Identifier (Entity ID) for your region - details here.
      2. Enter the Reply URL (Assertion Consumer Service URL) for your region - details here.
  5. To configure attribute mapping “Edit” the “User Attributes & Claims”.
  6. Add the attribute claims to synchronize these with the SAFE users as per the below screenshot.
  7. Download the SAML Metadata files (Federation Metadata XML) file.
  8. Share the Metadata file with the Safe Security team along with the domain/domains you wish to enable for SSO (e.g.
SAFE will use the email address for the purpose of SSO, usually mapped to the SAML attribute

Was this article helpful?