Skip to main content

Configure SSO for Microsoft Entra

This articles walks through how to configure SurePath AI to use Microsoft Entra as an IDP

Updated over a week ago

Configure SSO with Microsoft Entra

NOTE: SurePath AI supports both SAML and OIDC for Single Sign-On with most vendors. OIDC is the recommended protocol if your organization has no requirements for SAML.

OIDC Configuration

Prerequisites

Output Checklist

Save the following to be used in the SurePath AI client setup.

  • Directory (tenant) ID

  • Issuer (URL) - You will create this.

    • This is a combination of MS info and your Directory (tenant) ID

    • Example: https://login.microsoftonline.com/{insert tenant ID}/v2.0

  • Client Secret

Procedure

Note: Please use the search bar if the icon or name is not visible.

  • Login to Microsoft Azure Portal

  • Select Microsoft Entra ID

  • Select App registrations

  • Select New registration

  • Enter SurePath AI SSO Integration (or another suitable name)

  • Select Default Directory only - Single tenant or whatever is right for your organization.

Note: The following information can be found in the SurePath AI Admin interface under Configure > Organization > Identity > Single Sign-On

  • Set the Redirect URI platform to Web

  • Set the URI to the value from the Authorization Callback URLs field

  • Click Register

  • Copy the Directory (tenant) ID

    • Save this for use in the SurePath AI setup

  • Manage - Certificates & Secrets

    • New client secret

      • Client Secrets tab

      • Enter a description

      • Enter the expiration date

        1. Pro tip: go make a calendar invite for 2 weeks before this date to renew it

      • Add

    • Copy the Value of the new secret you created

      • Save this for use in the SurePath AI setup

      • This is a communication secret/password so treat it appropriately and keep it secure.

  • Token Configuration

    • Add optional claim

    • Token type -> ID

    • Select email

    • Click Add

    • Check Turn on the Microsoft Graph email permissions (required for claims to appear in token).

    • Click Add

    • Add optional claim (for display name)

    • Token type -> ID

    • Select name (this provides the DisplayName claim)

    • Click Add

    • If name is not available, configure both given_name and family_name claims instead:

      • Add optional claim

      • Token type -> ID

      • Select given_name

      • Click Add

      • Add optional claim

      • Token type -> ID

      • Select family_name

Configure SurePath AI provider for OIDC

  • Login to the SurePath AI admin interface

  • Navigate to Organization -> Identity -> Add Provider

  • Enter the name you will use.

    • Users will see this name so it's helpful to have the company name and SSO in the name field to bolster confidence in the end user that they are using a company resource.

  • Select OIDC from the Provider Type

  • Enable the new provider with the toggle switch

  • Enter the Azure Directory (tenant) ID in the SurePath AI Client Id field

  • Enter the value of the Secret in the SurePath AI Client Secret field.

  • Enter the Issuer (URL) - You need to create this.

    • This is a combination of MS info and your Directory (tenant) ID

    • Example: https://login.microsoftonline.com/{insert tenant ID}/v2.0

  • SAVE the entry

SAML Configuration

Prerequisites

You will need the following values to complete your configuration. Information on how to retrieve them will be included below.

Setup Azure Application

Note: While in the Azure portal, please use the search bar if the icon or name is not visible on the screen. You may need to expand menu items as well.

  • Login to Microsoft Azure Portal

  • Select Microsoft Entra ID

  • Select Enterprise applications

  • Select New Application

  • Select Create your own application

  • Enter SurePath AI SSO Integration (or another suitable name)

  • Ensure the last radio button is checked: Integrate any other application…

  • Select Set up single sign on (may need to select it)

  • Select SAML

  • Scroll down a bit to see the App Federation Metadata Url

  • Copy this value for use in the SurePath AI admin interface.

Configure SurePath AI provider for SAML

  • Login to the SurePath AI admin interface

  • Navigate to Organization -> Identity -> Add Provider

  • Enter the name you will use. Users will see this name so it's helpful to have the company name and SSO in the name field to bolster confidence in the end user that they are using a company resource.

  • Select SAML - Metadata URL from the Provider Type Dropdown box

  • Paste the App Federation Metadata Url from Azure here in the Metadata URL field.

  • Click SAVE CHANGES

  • The Metadata URL will be validated over the next few seconds and provide and error if anything is wrong.

  • The screen will now contain the values you need to finish the SSO configuration.

    • Identifier (Entity ID) = Service Provider Entity ID

    • Reply URL (Assertion Consumer Service URL) = Authorization Callback URLs

  • You can now enable the provider with the toggle switch.

Finish Azure Configuration

  • Select Basic SAML Configuration > Edit

  • Select Add identifier and enter value from the Service Provider Entity ID field

  • Select Add reply URL and enter value from the Authorization Callback URLs field

  • Click Save

  • Close the window

Configure SAML attributes and claims

SurePath AI requires specific user attributes to be included in the SAML assertion. Admins must configure these attributes in Azure Entra to ensure users can authenticate successfully.

  • Navigate to the Attributes & Claims section in the Azure Enterprise Application

  • Click Edit

  • Verify that the email claim is configured (this is typically included by default as user.mail or user.userprincipalname)

  • Add a display name claim using one of the following options:

    • Option 1 (recommended): Add a claim named displayname or name mapped to user.displayname

      • Click Add new claim

      • Name: displayname (or name)

      • Source attribute: user.displayname

      • Click Save

    • Option 2 (alternative): Add separate claims for first and last name (SurePath AI will combine these into a display name)

      • Click Add new claim

      • Name: givenname

      • Source attribute: user.givenname

      • Click Save

      • Click Add new claim

      • Name: surname

      • Source attribute: user.surname

      • Click Save

Testing the configuration

SurePath AI does not support IDP-Initiated authentication flows. To test your SSO configuration, please visit https://auth.surepath.ai and if your username is displayed, click LOGOUT, Now, attempt to login to verify that .

Related Articles
Model connectors
Resolve an Issue - Azure Entra SCIM `Enterprise application` deletion
Microsoft Intune - Distributing configuration for macOS
Connecting an AWS Knowledge Base to Microsoft Sharepoint
Configure SSO for all providers
Did this answer your question?