# Microsoft Entra ID

{% hint style="success" %}
**Access Type**: Organization Settings - Editor

**Premium Feature**: SSO
{% endhint %}

Single Sign-On (SSO) is an authentication process that allows users to access multiple applications or systems with one set of login credentials. In this article, we will cover how to configure SSO using the SAML 2.0 standard protocol with Microsoft Entra ID.

* [Resources](#resources)
* [Retrieve SSO SAML identifiers](#retrieve-sso-saml-identifiers)
* [Create Didomi console application in Microsoft Entra ID](#create-didomi-console-application-in-microsoft-entra-id)
* [Configure SSO for Didomi console application in Microsoft Entra ID](#configure-sso-for-didomi-console-application-in-microsoft-entra-id)
* [Retrieve Didomi console application metadata from Microsoft Entra ID](#retrieve-didomi-console-application-metadata-from-microsoft-entra-id)
* [Add Microsoft Entra ID metadata](#add-microsoft-entra-id-metadata)
* [Test and complete SSO configuration](#test-and-complete-sso-configuration)
* [Manage user and group access to Didomi console application](#manage-user-and-group-access-to-didomi-console-application)

***

### Resources

Please refer to the following Microsoft Entra ID documentation for additional information:

* [Microsoft Entra ID: Enable Single sign-on with SAML](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso#enable-single-sign-on)
* [Microsoft Entra ID: What is single sign-on in Microsoft Entra ID?](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/what-is-single-sign-on)

### Retrieve SSO SAML identifiers

To start, your organization needs to retrieve the SSO SAML identifiers from the Didomi console to continue setup in your identity provider.

Click **My organization** and selecting **Single Sign-on** from the drop-down menu.

<figure><img src="/files/xYTfkcoJha4cIEPxiw4C" alt="" width="563"><figcaption></figcaption></figure>

Use the provided fields in the **Get your SSO SAML identifiers** step to record the following:

<table><thead><tr><th width="210">Identifier</th><th>Description</th></tr></thead><tbody><tr><td>Configured issuer</td><td>Your organization's identity provider's unique identifier within the Didomi console.</td></tr><tr><td>Login URL</td><td>Where user will be redirected after successful login on the identity provider.</td></tr><tr><td>Logout URL</td><td>Where user will be redirected after successful logout on the identity provider.</td></tr></tbody></table>

<figure><img src="/files/Ntpfh2tkie9RRqTgsLoD" alt="" width="375"><figcaption></figcaption></figure>

Click **Continue** when finished.

### Create Didomi console application in Microsoft Entra ID

Before configuring SSO your organization will need to add a Didomi console application in your Microsoft Entra ID account.&#x20;

1. Navigate to **Entra ID > Enterprise apps > All applications**.
2. Click **New application**.
3. From the creation page, select **Create your own application**.

Name your new application something recognizable as being for the Didomi console. This is where your organization will configure the SSO SAML.

### Configure SSO for Didomi console application in Microsoft Entra ID

From the newly created application for the Didomi console in Microsoft Entra ID, select **Single sign-on** on the left-hand menu.

Click **SAML** to open the SSO configuration page and navigate to **Basic SAML configuration** section and select **Edit**.

Use the provided fields to input the SSO SAML identifiers retrieved from the Didomi console.

| Microsoft Entra ID Field                   | Didomi console SSO SAML identifier |
| ------------------------------------------ | ---------------------------------- |
| Identifier (Entity ID)                     | Configured issuer                  |
| Reply URL (Assertion Consumer Service URL) | Login URL                          |
| Sign on URL                                | Login URL                          |
| Logout URL (Optional)                      | Logout URL                         |

<figure><img src="/files/ycIOGKDZ4zSoalS1X4Ck" alt=""><figcaption></figcaption></figure>

Click **Save** when finished.

### Retrieve Didomi console application metadata from Microsoft Entra ID

From the Didomi console application's SSO configuration page in Microsoft Entra ID, navigate to the **Set up \[Application Name]** section and record the **Login URL** and **Logout URL**.&#x20;

Next, navigate to the **SAML Certificates** section and download the **Certificate (Base64)**. The certificate will be downloaded to your local machine. Open the file and record its contents.

### Add Microsoft Entra ID metadata

With the metadata from Microsoft Entra ID copied, navigate back to the SSO configuration within the Didomi console and input those values in the provided fields for the **Setup SSO settings** step.

<table><thead><tr><th width="231">Metadata</th><th>Description</th></tr></thead><tbody><tr><td>X509 certificate</td><td>The SAML Signing Certificate from your Microsoft Entra ID in CER base64 format.</td></tr><tr><td>Login URL</td><td>Login URL from Microsoft Entra ID.</td></tr><tr><td>Logout URL</td><td>Logout URL Microsoft Entra ID. </td></tr></tbody></table>

{% hint style="warning" %}
**Note**: Before continuing onward, ensure all users who should have access to the Didomi console have their email addresses added to their profile.&#x20;
{% endhint %}

<figure><img src="/files/CVOXd09VnoRe3zbsJNSI" alt="" width="563"><figcaption></figcaption></figure>

### Test and complete SSO configuration

Didomi will verify the identity provider metadata. When successful, utilize the **Domain(s)** field to add email domains to which the SAML authentication will be restricted (*i.e. only users whose emails have this domain will be allowed to login with SSO SAML*).&#x20;

{% hint style="warning" %}
For security, the domain added to the **Domain(s)** field must match the email domain of the user performing the configuration (e.g.  `didomi.io` can only be added if the user adding it is signed into the Didomi console using an `@didomi.io` email address.

To add more than one domain, please contact the Didomi support team via chat or email at <support@didomi.io>.
{% endhint %}

<figure><img src="/files/ob57E1LLIGN3HtBqgZWS" alt="" width="563"><figcaption></figcaption></figure>

Click **Save settings**.

### Manage user and group access to Didomi console application

From the Microsoft Entra ID application for the Didomi console, click Users and groups  on the left-hand panel and use the subsequent page to manage which users in your organization has access to the Didomi console.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.didomi.io/organization-and-account-settings/single-sign-on-sso/microsoft-entra-id.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.