English
  • saml
  • azure
  • ad
  • sso

How to integrate Azure AD (Entra ID) SAML SSO with your auth provider

Learn how to integrate Azure AD SSO with Logto using standard SAML connector.

Simeng
Simeng
Developer

Logto provides a out of box SAML connector to integrate with SSO identity providers. Each provider has its own specific information to configure. This guide will walk you through the steps to integrate Azure AD with Logto.

Try Logto cloud for free

Create an new SAML social connector in Logto

  1. Visit your Logto Cloud Console and navigate to the connector section.

  2. Switch to the Social connectors tab and click Add Social Connector button on the top right.

    Logto Cloud Console

  3. Select the SAML connector.

    SAML Connector

    You will be presented with the SAML connector creation form:

    Connector Creation Form

  4. Fill in the connector general information

    Connector General Information

    Field NameDescription
    Name for social sign-in buttonThe name of the social sign-in button that will be displayed on the login page.
    Logo URL for social sign-in buttonThe logo URL of the social sign-in button that will be displayed on the login page.
    Identity provider nameThe name of the identity provider. That may help you identify the target provider of the connector.
    Sync profile informationWhether to sync the user profile information from the identity provider only after the initial sign-up or after each sign-in session.

  5. Set Entity Id and Assertion Consumer Service URL

    Entity Id and Assertion Consumer Service URL

    Entity ID" and an "ACS URL" are essential components used in the SAML exchange process for identity and service providers.

    SP Entity ID: The Entity ID is a unique identifier that represents a SAML entity within a SAML-based system. It is used to distinguish different participants in the SAML exchange. The SP Entity ID helps both the IdP a to recognize request audience and establish trust.

    ACS URL (Assertion Consumer Service URL): The ACS URL is a specific endpoint provided by the Service Provider (Logto) where the Identity Provider (IdP) sends the SAML assertion after successful authentication. Once a user is authenticated by the IdP, the IdP generates a SAML assertion containing user attributes and digitally signs it. The IdP then sends this assertion to the ACS URL of the SP. The SP validates the assertion, extracts user attributes, and logs the user in.

    Field NameDescriptionExample
    SP Entity ID (Audience)SP Entity used by AzureAD to identify the identity of the Logto. Use your Logto tenant endpoint as the EntityID is recommendedhttps://<tenant-id>.logto.app
    IdP single sign-on URLIdP SignIn endpoint. Optional in Azure. This field is used for SP to identify IdP initiated sign-in session. Currently Logto does NOT support IdP initialed sign-in session. Please leave this field blank
    X.509 CertificateThe IdP certificate used to sign the SAML assertion. (We will retrieve this certificate from AzureAD later)
    IdP Metadata in XML formatThe IdP metadata XML file content. (We will retrieve this file from AzureAD later)
    Assertion Consumer Service URLThe ACS URL of the SP. SP(Logto) endpoint to receive SAML assertion requests. Replace the tenant-id and connector-id with you own.https://<tenant-id>.logto.app/api/authn/saml/<connector-id>

Create a SAML SSO application in Azure portal

  1. Log in to the Azure Active Directory dashboard. Select “Enterprise Applications”.

    “Enterprise application

  2. Select “New Application” → “Create your own application”.

    Create your own application

  3. Init a SAML application.

    Init a SAML application

  4. Fill in the configuration with EntityId and ACS URL you have set in Logto.

    SAML application configuration

  5. Configure user attributes and claims

    You can configure the user attributes by clicking on the "Edit" button in the "User Attributes & Claims" section.

    User attributes and claims

    Logto requires the following basic user attributes to be sent in the SAML assertion:

    Claim NameAttribute Name
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuser.mail
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameuser.name

  6. Assign groups and users to the SAML application In order for users or groups of users to be authenticated, we will need to assign them to the AzureAD SAML application. Select “Users and groups” from the “Manage” section of the navigation menu. The select “Add user/group”.

    Assign users and groups

  7. Obtain the AzureAD IdP details by downloading certificates and metadata file. Download the Federation Metadata XML file and the Certificate (Base64) file by clicking on the "download" button. You will need these files to complete the SAML connector creation in Logto.

    Download IdP metadata and certificate

Finish the SAML connection creation back in Logto

Switch back to the Logto Cloud Console's SAML connector creation form and continue fill in the IdP details. Copy the IdP metadata XML file content to the IdP metadata field. Paste the IdP certificate to the IdP certificate field.

IdP details

Set the user profile mapping

Based on the AzureAD user claim settings, you may proceed set the key mapping configs in Logto:

Logto available user fields are:

Click on “Save and Done”.

Enable the SAML connector

Once you have finished the SAML connector creation, you can enable the connector by navigating to the "Sign-in experience" section and add the connector as the "Social sign-in" method:

Enable the SAML connector

Verify your AzureAD SSO sign-in using our preview demo-app:

AzureAD SSO sign-in

Congratulations! You have successfully integrated AzureAD SSO with Logto. You can now use AzureAD to sign in to your Logto account.

Try it now