Skip to main content

Single Sign-On (SSO) with SAML via Microsoft Entra ID

Set up Single Sign-On (SSO) for revel8 using Microsoft Entra ID (formerly Azure AD)

πŸ‘ 1: Enable single sign-on with SAML

  1. In Microsoft Entra ID, go to your Enterprise Application for Company Shield

  2. Click on Single sign-on β†’ SAML

πŸ§‘β€πŸ”§ 2. Configure SAML URLs

  1. Click on Edit next to Basic SAML Configuration

  2. In a separate tab, open the revel8 dashboard and go to Settings β†’ Integrations β†’ Access Controls tab

  3. Copy and paste the following:

  • Entity ID β†’ Paste in Microsoft Entra from revel8's Entity ID

  • Reply URL (ACS) β†’ Paste in Microsoft Entra from revel8's ACS URL

4. Click Save in the Microsoft Entra portal

βš™οΈ 3: Install SAML Certificate

  1. In the SAML Certificates section of Microsoft Entra: Click Download next to Federation Metadata XML

  2. Go back to revel8 β†’ Settings β†’ Integrations β†’ Access Controls tab: Upload the downloaded .xml file in the Metadata file section

πŸ“Œ 4: Attributes and Claims

In most cases, default settings work without changes. If needed, go to the Attributes and Claims section to adopt the standard setting.

❗ http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress (required)

πŸ”Ή http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname (optional)

πŸ”Ή http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name (optional)

πŸ”Ή http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname (optional)

βž• 5: Assign Users and Groups

Go to Users and groups β†’ click Add user/group, and select your users.

πŸ”‘ 6: Group to Role Mappings (Optional)

Once SAML is active, you can automatically assign revel8 roles based on your Entra ID groups. This eliminates the need to manually assign roles to each user after login.

  1. In revel8, go to Settings β†’ Integrations β†’ Access Controls tab

  2. Scroll to the Group to Role Mappings section

  3. Click Add Mapping to add a new row

  4. Enter the IdP Group Name exactly as it appears in your Entra ID

  5. Select the corresponding revel8 role from the dropdown: EMPLOYEE, EDITOR, CISO, or DIRECTOR

  6. Repeat for each group you want to map, then click Save Mappings

πŸ’‘ Tip

You can add multiple mappings. Users in a mapped group will automatically receive that role upon login. Users not matched to any mapping default to the EMPLOYEE role.

πŸ›‘οΈ 7: Disable Password Login (Optional)

Once SAML is active, you can optionally disable password-based login to enforce SSO as the only login method for your organization.

  1. In revel8, go to Settings β†’ Integrations β†’ Access Controls tab

  2. Under the SAML status section (visible once SAML is active), check the Password login disabled checkbox
    ​

⚠️ Important

Disabling password login means users can only log in via SAML SSO. Ensure your SAML configuration is fully tested before enabling this to avoid locking users out.

βœ… Final Checklist

  • SAML URLs configured in Microsoft Entra

  • Metadata file downloaded from Entra and uploaded to revel8 via Settings β†’ Integrations β†’ Access Controls

  • Attributes and Claims checked

  • Users and Groups assigned in Entra

  • Group to Role Mappings configured (optional)

  • Password login disabled if enforcing SSO-only (optional)

  • Test login successful

Related Articles
Single Sign-On (SSO) with SAML via Google Workspace
Microsoft Entra ID Sync via SCIM
Microsoft Entra ID - Enterprise Application Scoping Filter
Did this answer your question?