Skip to main content

Configure Entra ID as a SAML Service Provider in ZITADEL

This guides shows you how to connect Entra ID (former Azure Active Directory) as an identity provider in ZITADEL.

info

In ZITADEL you can connect an Identity Provider (IdP) like Entra ID (former Azure Active Directory) to your instance and provide it as default to all organizations. Also, you can register the IdP to a specific organization only. If you allow so, your organizations members can do the same in self-service.

Entra ID SAML Configuration​

You need to have access to an Entra ID Tenant. If you do not yet have one follow this guide from Microsoft to create one for free.

Register a new enterprise application in Entra​

We start setting up the enterprise application.

  1. Browse to the Enterprise App registration menu.
  2. Search for "SAML Toolkit" and click on the "Microsoft Entra SAML Toolkit" card.
  3. Change the name if wanted and click "Create"

Azure SAML App Creation

Disable required assignment​

To allow all users to sign in using ZITADEL we need to manually disable required assignment:

  1. Go to Manage > Properties
  2. Set "Assignment required?" to No
  3. Hit Save

Disable assignment required check

Setup SAML​

Configure the sign-on method of the app.

  1. Go to Manage > Single sign-on
  2. Select SAML
  3. You will be redirected to the Single Sign-On details page
  4. Copy the URL of SAML Certificates > App Federation Metadata Url to your clipboard

Azure Entra overview

ZITADEL Configuration​

Go to the IdP Providers Overview​

Go to the settings page of your instance or organization and choose "Identity Providers".

In the table you can see all the providers you have configured. Also, you see all provider templates that are available.

Identity Provider Overview

Select the SAML SP Provider template.

Create a new SAML Service Provider (SP)​

Now we configure the identity provider on ZITADEL.

  1. Set a name like "Microsoft Entra"
  2. Paste the previously copied URL into the "Metadata URL"-field. The metadata will automatically be fetched from the provided URL after creation.
  3. Select the "SAML_POST_BINDING" as binding
  4. Ensure that the "Signed Request"-box is ticked
  5. Change the options if needed. Microsoft Entra works out of the box using the pre configured options.
  6. Click Create

Automatic creation: If this setting is enabled the user will be created automatically within ZITADEL, if it doesn't exist.

Automatic update: If this setting is enabled, the user will be updated within ZITADEL, if some user data is changed withing the provider. E.g if the lastname changes on the Microsoft account, the information will be changed on the ZITADEL account on the next login.

Account creation allowed: This setting determines if account creation within ZITADEL is allowed or not.

Account linking allowed: This setting determines if account linking is allowed. When logging in with a Microsoft account, a linkable ZITADEL account has to exist already.

info

Either account creation or account linking have to be enabled. Otherwise, the provider can't be used.

Azure SAML App Creation

Configure Basic SAML Configuration​

After you created the SAML SP in ZITADEL, you can copy the URLs you need to configure in your Entra ID application.

Azure SAML App URLs

  1. Go to Microsoft Entra > Manage > Single sign-on
  2. Edit the "Basic SAML Configuration"
  3. Identifier (Entity ID): Paste the ZITADEL Metadata URL.
  4. Reply URL (Assertion Consumer Service URL): Paste the ZITADEL ACS Login Form URL
  5. Sign on URL: Paste the ZITADEL ACS Login Form URL
  6. Logout URL: Optionally paste the ZITADEL Single Logout URL
  7. Click Save
info

You can ignore the ZITADEL ACS Intent API URL for now. This is relevant if you want to programmatically sign users in at ZITADEL via a SAML Service Provider.

Azure Entra configuration overview

Enable the Microsoft Entra Button in ZITADELs Login Page​

Go back to ZITADEL and activate the IdP.

Activate IdP​

Once you created the provider, it is listed in the providers overview. Activate it by selecting the tick with the tooltip set as available.

If you deactivate a provider, your users with links to it will not be able to authenticate anymore. You can reactivate it and the logins will work again.

The provider can also be activated via API. As the identity providers are sub-resources of the login settings, this is done by linking the provider to the settings:

Activate Azure SAML Provider

Ensure your Login Policy allows External IDPs​

  1. Go to the Settings
    • To allow external IdP logins by default, go to your instance default settings at $YOUR-DOMAIN/ui/console/instance?id=general
    • To allow external IdP logins on an organization, go to $YOUR-DOMAIN/ui/console/org-settings?id=login and ensure you have the right org context.
  2. Modify your login policy in the menu "Login Behavior and Security"
  3. Enable the attribute "External Login allowed"

You can also change the settings through the API directly either in the default settings or on a specific organization:

Allow External IDP

Test the setup​

To test the setup, use incognito mode and browse to your login page. You see a new button which redirects you to Microsoft Entra screen.

By default, ZITADEL shows what you define in the default settings. If you overwrite the default settings for an organization, you need to send the organization scope in your auth request.

Azure Entra Button

Click Microsoft Entra

Entra ID Login

Add Action to map user attributes​

You can use a ZITADEL action if you want to prefill the fields username, firstname, lastname, displayname, email and email verified with Entra data.

  1. Go to the users target organizations settings page.
  2. Add a new action with the body below. Make sure the action name equals the scripts function name. Also change the id in the script to match your provider configurations id.
  3. Add the action to the flow "External Authentication" and trigger it on "Post Authentication"
examples/entra_id_saml_prefil_register_form.js
loading...