> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ally.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra ID - SSO Setup

> Configure Single Sign-On (SSO) for Ally Security with Microsoft Entra ID (formerly Azure Active Directory) so users sign in with Microsoft credentials.

## Prerequisites

Before you begin, you'll need:

* Administrative access to your Microsoft Entra ID tenant (Azure portal)
* The SSO configuration details from Ally Security (we'll provide these after you request SSO setup)
* The email domain(s) that should be enabled for SSO

## Step 1: Create a New Enterprise Application in Microsoft Entra ID

1. Navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/) and sign in with your admin account.
2. In the left navigation menu, expand **Identity** and select **Applications** > **Enterprise applications**.
3. Select **+ New application** at the top of the page.
4. Select **+ Create your own application**.
5. Enter a name for the application (e.g., "Ally Security") and select **Integrate any other application you don't find in the gallery (Non-gallery)**.
6. Select **Create** to create the application.

## Step 2: Configure SAML-Based Single Sign-On

1. After the application is created, you'll be redirected to the application overview page.

2. In the left navigation menu, select **Single sign-on**.

3. Select **SAML** as the single sign-on method.

4. In the **Basic SAML Configuration** section, select **Edit**.

5. Configure the following settings using the information provided by Ally Security:

   **Identifier (Entity ID)**

   * Enter the Entity ID provided by Ally Security

   **Reply URL (Assertion Consumer Service URL)**

   * Enter the ACS URL provided by Ally Security

6. Select **Save** to save the configuration.

## Step 3: Configure Attribute Mappings

Ally Security requires specific attributes in the SAML response. Configure the following attribute claims:

1. In the **Attributes & Claims** section, select **Edit**.

2. You may need to modify the existing claims or add new ones. Configure the following:

   **Email address (required)**

   * Select **Add new claim** or edit the existing email claim
   * **Name**: `mail`
   * **Source attribute**: Select `user.mail` from the dropdown

   **First name (optional)**

   * Select **Add new claim**
   * **Name**: `firstName`
   * **Source attribute**: Select `user.givenname` from the dropdown

   **Last name (optional)**

   * Select **Add new claim**
   * **Name**: `lastName`
   * **Source attribute**: Select `user.surname` from the dropdown

3. Select **Save** after configuring each claim.

<Note>
  Ensure that the attribute names (`mail`, `firstName`, `lastName`) are entered exactly as shown, as they are case-sensitive.
</Note>

## Step 4: Assign Users or Groups

Before users can sign in using SSO, you need to assign them to the enterprise application:

1. In the left navigation menu, select **Users and groups**.
2. Select **+ Add user/group** at the top.
3. Under **Users**, select **None Selected** and search for the users or groups you want to assign.
4. Select the users or groups, then select **Select**.
5. Select **Assign** to complete the assignment.

<Tip>
  Assigning a group is recommended for easier management. All members of the assigned group will be able to sign in via SSO.
</Tip>

## Step 5: Download or Copy the Federation Metadata

After completing the SAML configuration, you'll need to provide Ally Security with your federation metadata:

1. Navigate back to the **Single sign-on** page for your application.
2. In the **SAML Certificates** section, locate **App Federation Metadata Url**.
3. Copy this URL to share with Ally Security.

Alternatively, you can download the Federation Metadata XML file:

1. In the same **SAML Certificates** section, select **Download** next to **Federation Metadata XML**.
2. Share this file with your Ally Security contact.

## What to Provide to Ally Security

To complete the SSO setup, please provide the following information:

1. **Federation Metadata URL** or **Federation Metadata XML file**: From the SAML Certificates section (as described in Step 5)
2. **Email domain**: The email domain(s) that should be enabled for SSO (e.g., `@yourcompany.com`)
3. **Test user email** (optional): An email address of a test user that can be used to verify the SSO configuration

## After Setup Is Complete

Once Ally Security has configured SSO on our end:

* All users with email addresses ending in your configured domain will be redirected to Microsoft Entra ID for authentication
* Users will sign in using their Microsoft credentials
* Existing users with matching email domains will need to use SSO to sign in

<Warning>
  If there are existing users with email domains that match the SSO configuration, they will be required to use SSO to sign in once it's enabled. Make sure to communicate this change to your team members.
</Warning>

## Troubleshooting

If you encounter issues during setup:

* **Verify attribute mappings**: Ensure that the attribute names (`mail`, `firstName`, `lastName`) match exactly as specified and are mapped to the correct source attributes
* **Check user assignments**: Confirm that users or groups have been assigned to the enterprise application
* **Verify domain configuration**: Ensure the email domain matches what was provided to Ally Security
* **Check SAML configuration**: Verify that the Entity ID and Reply URL match exactly what was provided by Ally Security
* **Review sign-in logs**: In Microsoft Entra ID, navigate to **Identity** > **Monitoring & health** > **Sign-in logs** to review any authentication errors
* **Contact support**: Reach out to Ally Security support if you need assistance with the configuration