Skip to content
HIPE Logo Developers - HIPE

Microsoft Azure AD - SAML v2.0

Prerequisites

Section titled “Prerequisites”
  • A Microsoft Entra ID tenant
  • Admin privileges to configure applications in Azure AD
  • Access to the Azure portal
  • The SAML values provided by your Customer Success Manager
    • Entity ID (Unique identifier for the service provider)
    • Assertion Consumer Service URL (Where Azure AD sends Redirect URI)

Configuration steps

Section titled “Configuration steps”

1. Create an enterprise application in Azure AD

Section titled “1. Create an enterprise application in Azure AD”
  1. Go to the Azure portal
  2. Navigate to Microsoft Entra ID > Enterprise applications
  3. Click New application
  4. Click Create your own application
  5. Enter a name for your application (e.g., HIPE)
  6. Select Integrate any other application you don’t find in the gallery (Non-gallery)
  7. Click Create

Azure AD enterprise application creation step 1

Azure AD enterprise application creation step 2

2. Configure SAML single sign-on

Section titled “2. Configure SAML single sign-on”
  1. Open the application you just created
  2. In the left navigation, click Single sign-on
  3. Select SAML

Azure AD SAML single sign-on step 1

3. Configure Basic SAML Configuration

Section titled “3. Configure Basic SAML Configuration”
  1. In the Basic SAML Configuration section, click Edit
  2. Fill in the values provided by your Customer Success Manager:
    • Identifier (Entity ID)
    • Reply URL (Assertion Consumer Service URL)
    • Sign on URL (optional, only if provided)
  3. Click Save

Azure AD SAML basic configuration

4. Configure User Attributes & Claims

Section titled “4. Configure User Attributes & Claims”
  1. In the User Attributes & Claims section, click Edit
  2. Configure the claims so Azure sends the user’s profile information to HIPE
  3. Use the following recommended mapping:
    Claim nameValue
    Unique User Identifieruser.userprincipalname
    givennameuser.givenname
    surnameuser.surname
    emailaddressuser.mail
    nameuser.userprincipalname
  4. If user.mail is empty in your tenant, ask your Customer Success Manager which attribute should be used for the email claim before changing it
  5. Save the configuration

If the required claims are missing or empty, Keycloak may display an Update Account Information screen after login and ask the user to manually enter their username, email, first name, or last name.

Azure AD SAML claims configuration

5. Download the signing metadata

Section titled “5. Download the signing metadata”
  1. Copy the App Federation Metadata URL
  2. Save this information for later

6. Share credentials with your Customer Success Manager

Section titled “6. Share credentials with your Customer Success Manager”

To avoid any issue, please share the following information with your Customer Success Manager, using a One-time secret sharing service such as:

The expected format is:

App Federation Metadata URL: <app-federation-metadata-url>