Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Setting up Microsoft Entra for SAML-based Single Sign-On (SSO)

By Sue Ann See
  • Last updated
⌘ K
Search this article
Print this article

Who is this article for?

Administrators responsible for managing organization security settings in Ideagen Hub.

Admin Console access is required.

You can set up Microsoft Entra as your corporate identity provider (IdP) in Ideagen Hub using SAML or OIDC. To use an external identity provider like Microsoft Entra, you will need to ensure the Hub user's authentication type is set to External.

This article outlines how to configure a new SAML app in Microsoft Entra and link it to Ideagen Hub.

1. Creating an SAML app

To create a SAML app in Microsoft Entra:

  1. Log in to to the Entra portal.
  2. Navigate to Enterprise applications.
  3. Click New Application.
  1. Click Create your own application.
  2. Enter a name for your app.
  3. Select the Integrate any other application you don't find in the gallery option.

  1. Select SAML from the method options.

2. Configuring the SAML app

2.1. Identifier and Reply URL

Once you have created the SAML enterprise application in Microsoft Entra, you will need to configure the Identifier and Reply URL.

To configure the Identifier and Reply URLs:

  1. Sign in to Ideagen Hub. 
  2. Navigate to the Admin Console.
  3. Go to the Security Center.
  4. Select Authentication.
  5. Select Eternal IDP Configuration
  6. Click Add Identity Provider.
  7. Select SAML.
  8. Click Next.
    You will see the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL).
  9. Copy these values to your identity provider app.

2.2. Provider name

In Ideagen Hub, you may proceed to set up the required Provider name. This will be a friendly name that will be displayed as the button label for your corporate ID on the Ideagen Hub login page.

 

2.3. Metadata document endpoint

To configure the metadata document endpoint URL:

  1. Go to the Entra portal.
  2. Copy the App Federation Metadata URL.
  1. Go back to Ideagen Hub.
  2. Scroll to the Metadata document source section.
  3. Paste the link in the Enter metadata document endpoint URL field.
  4. Click Apply Configuration.

4. Adding users/groups

By default, no users will be able to log in using the Microsoft Entra Enterprise application until they are explicitly assigned access. 

To grant access:

  1. Go to the application in the Entra portal.

  2. Navigate to Manage, Users and groups.

  3. Click Add user/group.

  4. Select the relevant users/groups.

  5. Click Assign.

5. Configuring attribute mapping

5.1 Email attribute

Whether your organisation uses Email or Username as the login identifier, you will need to add the email attribute in Microsoft Entra and map the email attribute in Ideagen Hub. 

To configure the attribute:

  1. Go to the application in the Entra portal.

  2. Scroll to Attributes & Claims.

  3. Click Edit.

  1. Copy the pre-configured or custom claim.
  2. Go to Ideagen Hub.
  3. Scroll down to the Attribute mapping section.
  4. Paste the claim name in the SAML attribute field next to the email User pool attribute.

5.1.1. Pre-configured claim

By default, Microsoft Entra ID's Enterprise application includes a pre-configured claim that is mapped to user.mail.

If you wish to use this default claim, copy its claim name. This value will be used later to map to the email user pool attribute in Ideagen Hub.

5.1.2. Custom claim

You can also use any other custom claims that is mapped to an email value that is not included in the default claims provided by Microsoft Entra.

To create a new claim:

  1. Click Add new claim.

  1. Enter a Name for the claim.

  2. Ensure you select a Source attribute that will return the user's email address (e.g., user.mail).

  3. Click Save.

Once saved, the newly created claim will be listed under Additional claims.

To use this custom claim, copy its claim name. This value will be used later to map to the email user pool attribute in Ideagen Hub.

5.2. Username attribute

If your organisation uses Username as login identifier, you must map the email and preferred_username attributes in Ideagen Hub.

To configure the attribute:

  1. Go to the application in the Entra portal.

  2. Scroll to Attributes & Claims.

  3. Click Edit.

  1. Copy the pre-configured or custom claim.
  2. Go to Ideagen Hub.
  3. Scroll down to the Attribute mapping section.
  4. Paste the claim name in the SAML attribute field next to the preferred_username User pool attribute.

5.2.1. Pre-configured claim

By default, Microsoft Entra ID's Enterprise application includes a pre-configured claim that is mapped to user.userprincipalname. Assuming that user.userprincipalname contains a unique value for each user, you can copy the default claim name to be mapped to the preferred_username attribute in Ideagen Hub.

5.2.2. Custom claim

You can also use any other unique value that is not included in the default claims provided by Microsoft Entra as the preferred username.

For example, if your organisation uses Employee ID as a unique identifier, you can create a custom claim to map Microsoft Entra's Employee ID to the preferred_username user pool attribute in Ideagen Hub.

To create a new claim:

  1. Go to the application in the Entra portal.

  2. Scroll to Attributes & Claims.

  3. Click Edit.

  4. Click Add New claim.

  5. Enter a Name for the claim.

  6. Ensure you select a Source attribute that will return the user's email address (e.g., user.employeeid).

  7. Click Save.

Once saved, the newly created claim will be listed under Additional claims.

To use this custom claim, copy its claim name. This value will be used later to map to the preferred_username user pool attribute in Ideagen Hub.

6. Signing SAML response

When you sign SAML requests, your IdP can verify that a request has the expected signature. You will need to configure this in Ideagen Hub and Microsoft Entra.

6.1. Ideagen Hub

To enable this in Ideagen Hub:

  1. Access the SAML Configuration.
  2. Tick Sign SAML requests to this provider.

The signing certificate will be available at the top section for download.

6.2. Microsoft Entra

To enable this in Microsoft Entra:

  1. Go to the Entra portal.
  2. Open the application.
  3. Navigate to Single Sign-On.
  4. Scroll to the Verification certifications.
  5. Click Edit.
  6. Tick Require Verification certificates
  7. Upload the signing certificate downloaded from Ideagen Hub’s SAML Configuration.
  8. Click Save.

7. Single Sign-Out error

Although Ideagen Hub's external IdP configuration allows for single sign-out to be enabled, this feature doesn't work when the Identity Provider (IdP) is Microsoft Entra ID.

This is because Ideagen Hub's authentication provider, AWS Cognito, only supports POST requests for single sign-out, whereas Entra ID only supports GET requests, leading to an incompatibility between the two services.

Further reading

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page