Skip to main content

SSO with Microsoft Entra ID (Azure AD)

This guide explains how to set up Single Sign-On (SSO) with Microsoft Entra ID (Azure AD) in Certifier.

Caroline Tyrko avatar
Written by Caroline Tyrko
Updated this week

💡 Heads-up: SSO is enforced per organization. After we enable SSO for your organization, sign-in becomes SSO-only. The only exception is the organization owner, who retains previous login methods to avoid being locked out.

Existing users are deleted or unlinked from your workspaces.

From then on, you can invite only users managed through your company's SSO provider (in this case, Microsoft Entra ID).


What you’ll do in Microsoft Entra (Steps 1–5)

Step 1 — Create an Enterprise application

  1. In the Microsoft Entra admin centerEnterprise applications.

  2. Click New applicationCreate your own application → name it (we recommend Certifier) → Integrate any other application you don’t find in the galleryCreate.

Step 2 — Choose SAML

Open your new app → Single sign-on → select SAML.

Step 3 — SAML settings

Click Edit and set:

  • Identifier (Entity ID): urn:amazon:cognito:sp:eu-west-1_OetDJugrc

  • Reply URL (ACS URL): https://auth.certifier.io/saml2/idpresponse

  • Relay State: (leave empty)

  • Sign-on URL: (leave empty)

Save.

Step 4 — User Attributes & Claims

Click Edit under User Attributes & Claims and configure:

  • Unique User Identifier (Name ID):

    • Name ID format: Persistent

    • Source attribute: user.objectid

Add these claims:

Claim name

Value

email

user.mail

firstName

user.givenname

lastName

user.surname

⚠️ First/last name can be empty. Some directories only use Display name. Team members names will not be propagated to the app if their First/last name attribute is empty during their first login to Certifier.

We map email from Azure AD user.mail. This must be a routable address. If user.mail is empty in your tenant, create/assign an Exchange Online mailbox so Azure populates mail. Guests often lack mail; we recommend provisioning them as members with mailboxes.

Step 5 — Get the Federation Metadata

In Single sign-onSAML Certificates, copy App Federation Metadata Url (or download the XML).


Send us your metadata

Step 6 — Share your Federation Metadata

Send the App Federation Metadata URL (or the XML itself) to Certifier Support. We’ll take it from here.


What we (Certifier) do next

Step 7 — Certifier completes the setup

Once we receive your SAML metadata, our team finishes the configuration on our side. No further action needed from you. We’ll notify you as soon as it’s ready and share next steps.


Inviting & signing in

Step 8 — Invites in Certifier

Before inviting anyone into Certifier, assign them to the newly created app in Entra. One way to do it is through Users and groupsAdd user/group → assign all users or groups who should access Certifier.

⚠️ Don’t forget: Users should be assigned in Entraslack before you invite them as team members in Certifier.

Only SSO users can be invited to SSO-enforced orgs.

Step 9 — User sign-in flow

Users will be able to sign in via Sign In with SSO in Certifier app login screen:

Click Continue with SSO to open your company’s login page. After you sign in, you’ll return to Certifier already signed in.

And we're done!


Quick reference (copy/paste)

Microsoft Entra → Basic SAML Configuration

Identifier (Entity ID): urn:amazon:cognito:sp:eu-west-1_OetDJugrc Reply URL (ACS): <https://auth.certifier.io/saml2/idpresponse> Relay State: (empty) Sign-on URL: (optional)

Microsoft Entra → User Attributes & Claims

NameID format: Email address NameID source: user.userprincipalname  email     = user.userprincipalname or user.email firstName = user.givenname lastName  = user.surname

What to send to Certifier Support

  • App Federation Metadata URL (or metadata XML)


Troubleshooting tips

  • User can’t see Certifier? Make sure they’re assigned to the Certifier application in Entra.

  • Email/NameID mismatch? Verify if Name ID format and source are properly set for your organization.

  • Missing names? Confirm givenname and surname claims are present and they are filled for the given user in Entra.

Did this answer your question?