Configuring Microsoft Entra ID SAML Estimated Reading Time: 2 Minutes Before configuring Ubersmith's SAML authentication module to use Microsoft Entra ID, you will to be able to access your instance with https. This is required because the identity provider (IdP, in this case, Microsoft) will require the login URL to use HTTPS. Microsoft Entra ID (Formerly Microsoft Azure AD) Configuration This documentation assumes the following prerequisites have been met: A Microsoft Azure account with appropriate privileges to create SAML Applications An Ubersmith administrator account with appropriate privileges to edit User Authentication settings Create "Enterprise Application" On the left menu, click Entra ID Click Enterprise Application Click + New application Select + Create your own application Name your application (ex. "Ubersmith") and make sure to select the Non-gallery option Configure the Basic SAML Configuration information Configure the Attributes & ClaimsThe default configuration provided by Microsoft already offers all fields that Ubersmith requires -- except a group claim, which must be added. For the group claim, use Security groups. Configure Users and groupsIn order for your Entra ID users to login, you must give users (or groups) access to the application. Bear in mind that you will be able to associate the groups defined in Entra ID to Roles within Ubersmith. Enable SigningTo take advantage of encryption, additional settings must be enabled for your Entra ID SAML application. Configure Ubersmith In Settings, click User Authentication. Click Add New Authentication Module. Enabled: Yes Module: SAML Priority: 1 (or appropriate) Create User on Login: Checked Check the Create User on Login so newly added Microsoft Entra ID users will be created in Ubesmith when they first log in to Ubersmith. Use the Attributes & Claims values from your Entra ID configuration to populate the fields within the Authentication Module popup. Ensure the Entity ID configured in your Entra ID application matches the Service Provider (SP) Entity ID configured in Ubersmith. This will be the HTTPS URL for your Ubersmith installation; for example, https://myubersmith.yourdomain.com. If needed, use the command from the popup's tooltip to generate your SP x509 Certificate and private key. To take advantage of encryption, additional settings must be enabled for your Entra ID SAML application and within Ubersmith. Click Edit in the SAML Certificates menu and enable the Sign SAML response and Assertion option. Download the Certificate (Base64) file from your Entra ID Application, and paste it into the IdP x509 Certificate field in the Ubersmith configuration. Note: If Strict Mode is True, then the SAML integration will reject unsigned or unencrypted messages if it expects them to be signed or encrypted. Also, it will reject the messages if the SAML standard is not strictly followed. Destination, NameId, and Conditions are validated too. Save the Authentication Module. You can now, map Ubersmith's roles to Microsoft Entra groups: Unfortunately, at this time, Entra ID Object Ids must be used for the role mapping, rather than the Group Names.