SAML SSO Set Up
Microsoft Entra ID (Azure AD)
This guide walks your Microsoft Entra ID administrator through creating and configuring
a SAML 2.0 Enterprise Application so your organization's users can sign in to
SolidProfessor using Entra ID Single Sign-On.
Prepared by: SolidProfessor
Document Version: 1.0
Last Updated: February 2026
Table of Contents
- Create an Enterprise Application — Page 3
- Enable SAML Single Sign-On — Page 4
- Configure Basic SAML Settings — Pages 4–5
- Attributes & Claims — Pages 5–6
- Assign Users & Groups — Page 7
- Send Metadata to SolidProfessor — Pages 7–8
Prerequisites
- Microsoft Entra ID administrator access — You need at least the Cloud Application Administrator or Application Administrator role in your Entra ID tenant.
- SAML configuration values from SolidProfessor — Your SolidProfessor contact will provide the Reply URL (ACS) and Identifier (Entity ID) specific to your organization.
Before you begin:
Ensure you have received the SAML configuration values from SolidProfessor before starting this setup. These values are unique to your organization and are required to complete Section 3.
Overview
The setup consists of six steps that create a trust relationship between Microsoft Entra ID (your Identity Provider) and SolidProfessor (the Service Provider). At the end of this process, you will send SolidProfessor a Federation Metadata XML file so we can finalize the connection on our side.
Terminology:
Microsoft Entra ID was formerly known as Azure Active Directory (Azure AD). This guide uses the current name "Entra ID" throughout. If your admin portal still shows "Azure Active Directory," the steps are identical.
1 Create an Enterprise Application
In this section you will create a new Enterprise Application in Microsoft Entra ID for SolidProfessor.
-
Sign in to the Microsoft Entra admin center at
entra.microsoft.com with an account that has administrator privileges.
-
In the left-hand navigation menu, expand Identity, then expand Applications, and click Enterprise applications.
-
Click + New application at the top of the page.
-
Click + Create your own application.
-
Enter
SolidProfessor as the application name.
-
Select "Integrate any other application you don't find in the gallery (Non-gallery)".
-
Click Create.
Checkpoint:
Your SolidProfessor Enterprise Application has been created. You should now be on the application's Overview page. The next step is to enable SAML authentication.
Note:
Unlike Okta (which lets you select SAML 2.0 at creation time), Entra ID requires you to first create the Enterprise Application and then configure SAML as the sign-on method in the next step.
2 Enable SAML Single Sign-On
-
From the SolidProfessor application's Overview page, click Single sign-on in the left-hand menu under Manage.
-
On the Select a single sign-on method page, click SAML.
You should now see the SAML-based Sign-on configuration page with numbered sections.
3 Configure Basic SAML Settings
This is where you tell Entra ID how to communicate with SolidProfessor.
-
In the Basic SAML Configuration section (Section 1 on the page), click the Edit (pencil) icon.
-
In the Identifier (Entity ID) field, enter the Entity ID provided by SolidProfessor:
Value:
URN of the user pool in AWS Cognito
This will be provided by SolidProfessor.
-
In the Reply URL (Assertion Consumer Service URL) field, enter the ACS URL provided by SolidProfessor:
Value:
Custom domain configured for your User Pool App Client, appended with /saml2/idpresponse
This will be provided by SolidProfessor.
-
Leave Sign on URL, Relay State, and Logout URL blank.
-
Click Save at the top of the panel, then close the panel.
Why these values matter:
The Identifier (Entity ID) tells Entra ID which service provider it is communicating with. The Reply URL is where Entra ID sends the SAML assertion after a user authenticates. Both values point to the correct AWS Cognito instance that handles your organization's authentication.
4 Attributes & Claims
Attributes & Claims tell Entra ID which user profile fields to include in the SAML assertion
so SolidProfessor can identify and provision users correctly. These are configured in Section 2
on the SAML configuration page.
-
In the Attributes & Claims section (Section 2 on the page), click the Edit (pencil) icon.
-
You will see a list of existing claims. You need to add additional claims for SolidProfessor.
-
Click + Add new claim for each of the attribute mappings listed on the next page.
-
For each claim:
- Enter the Name exactly as shown in the table.
- Leave Namespace blank (clear any default value).
- Set Source to
Attribute.
- Set Source attribute to the Entra ID attribute shown in the table.
- Click Save.
Important:
You must clear the Namespace field for each custom claim. By default, Entra ID populates a namespace URI. If the namespace is not cleared, the claim names sent in the SAML assertion will not match what SolidProfessor expects.
Required Attribute Mappings
Add each of the following claims using the + Add new claim button. Remember to clear the Namespace field for each one.
| Claim Name |
Source Attribute (Entra ID) |
| email |
user.mail |
| firstName |
user.givenname |
| lastName |
user.surname |
| address |
user.streetaddress |
| city |
user.city |
| state |
user.state |
| postalCode |
user.postalcode |
| country |
user.country |
| phoneNumber |
user.telephonenumber |
Tip:
The Claim Name values (left column) must match exactly as shown — they are case-sensitive. The Source Attribute values reference standard Entra ID user profile fields. If your organization uses custom attributes, contact SolidProfessor for assistance.
Default claims:
Entra ID includes some default claims (like emailaddress, name, and givenname with full namespace URIs). You can leave these in place — they will not interfere with the custom claims you add above, as long as the custom claims have an empty namespace.
5 Assign Users & Groups
Before users can sign in via SSO, they must be assigned to the SolidProfessor application in Entra ID.
You can assign individual users or entire groups.
-
In the SolidProfessor application, click Users and groups in the left-hand menu under Manage.
-
Click + Add user/group.
-
On the Add Assignment page, click None Selected under Users.
-
Search for and select the users or groups who should have SSO access to SolidProfessor.
-
Click Select, then click Assign.
Important:
Only users who are assigned to this application (directly or via a group) will be able to use SSO to access SolidProfessor.
If a user is not assigned, they will receive an error when attempting to sign in.
Best practice:
We recommend assigning an Entra ID security group (e.g., "SolidProfessor Users") rather than individual users. This makes it easy to manage access as employees join or leave — simply add or remove them from the group.
6 Send Metadata to SolidProfessor
SolidProfessor needs your Identity Provider (IdP) metadata to complete the SSO configuration on our side.
This metadata contains your Entra ID SSO endpoint, signing certificate, and entity ID.
-
Navigate back to the Single sign-on page of your SolidProfessor application.
-
Scroll down to Section 3: SAML Certificates.
-
Find App Federation Metadata Url and click the copy icon next to it.
-
Send this Metadata URL to your SolidProfessor contact.
Metadata — Alternatives
Alternative:
If you prefer to send a file instead of a URL, click Download next to Federation Metadata XML in the SAML Certificates section. Send the downloaded FederationMetadata.xml file to your SolidProfessor contact.
That's it!
Once SolidProfessor receives your metadata URL (or XML file), we will complete the configuration on our side and notify
you when SSO is ready for testing.
Testing SSO
After SolidProfessor confirms the configuration is complete, test the SSO connection:
-
Navigate back to the Single sign-on page of the SolidProfessor application in Entra ID.
-
Scroll down to Section 5: Test single sign-on with SolidProfessor.
-
Click Test.
-
Select "Sign in as current user" or "Sign in as someone else" and enter the credentials of an assigned user.
-
If successful, you will be redirected to SolidProfessor and signed in automatically.
Note:
Do not test until SolidProfessor confirms the configuration is complete on our side. Testing before that will result in an error.
Summary
Here is a quick reference of everything configured in this guide:
| Setting |
Value |
| Application Type |
Enterprise Application (Non-gallery) |
| App Name |
SolidProfessor |
| Single Sign-On Method |
SAML |
| Identifier (Entity ID) |
Provided by SolidProfessor |
| Reply URL (ACS URL) |
Provided by SolidProfessor |
| Claim Namespace |
Empty (cleared for all custom claims) |
| Custom Claims |
9 attributes (see Section 4) |
Troubleshooting
Users cannot sign in
- Verify the user is assigned to the SolidProfessor application (Section 5).
- Ensure the user's Entra ID profile has a valid mail attribute (not just a UPN).
- Check that the user is not in a disabled state in Entra ID.
SAML assertion errors
- Double-check the Identifier (Entity ID) and Reply URL — they must match the values provided by SolidProfessor exactly.
- Confirm all custom claim names are spelled correctly and are case-sensitive (e.g.,
firstName, not firstname).
- Verify the Namespace is empty for all custom claims. A non-empty namespace is the most common configuration error.
Claims not appearing in assertion
- Ensure the Source is set to
Attribute (not Transformation).
- Verify the Source attribute exists in the user's Entra ID profile (e.g.,
user.mail requires the Mail field to be populated).
Need help?
Contact your SolidProfessor account representative for assistance with SSO configuration.