💡 Heads-up: SSO is enforced per organization. After we enable SSO for your organization, sign-in becomes SSO-only. The only exception is the organization owner, who retains previous login methods to avoid being locked out.
Existing users are deleted or unlinked from your workspaces.
From then on, you can invite only users managed through your company's SSO provider (in this case, Microsoft Entra ID).
What you’ll do in Microsoft Entra (Steps 1–5)
Step 1 — Create an Enterprise application
In the Microsoft Entra admin center → Enterprise applications.
Click New application → Create your own application → name it (we recommend Certifier) → Integrate any other application you don’t find in the gallery → Create.
Step 2 — Choose SAML
Open your new app → Single sign-on → select SAML.
Step 3 — SAML settings
Click Edit and set:
Identifier (Entity ID):
urn:amazon:cognito:sp:eu-west-1_OetDJugrc
Reply URL (ACS URL):
https://auth.certifier.io/saml2/idpresponse
Relay State: (leave empty)
Sign-on URL: (leave empty)
Save.
Step 4 — User Attributes & Claims
Click Edit under User Attributes & Claims and configure:
Unique User Identifier (Name ID):
Name ID format: Persistent
Source attribute:
user.objectid
Add these claims:
Claim name | Value |
|
|
|
|
|
|
⚠️ First/last name can be empty. Some directories only use Display name. Team members names will not be propagated to the app if their First/last name attribute is empty during their first login to Certifier.
We map email from Azure AD user.mail
. This must be a routable address. If user.mail
is empty in your tenant, create/assign an Exchange Online mailbox so Azure populates mail. Guests often lack mail; we recommend provisioning them as members with mailboxes.
Step 5 — Get the Federation Metadata
In Single sign-on → SAML Certificates, copy App Federation Metadata Url (or download the XML).
Send us your metadata
Step 6 — Share your Federation Metadata
Send the App Federation Metadata URL (or the XML itself) to Certifier Support. We’ll take it from here.
What we (Certifier) do next
Step 7 — Certifier completes the setup
Once we receive your SAML metadata, our team finishes the configuration on our side. No further action needed from you. We’ll notify you as soon as it’s ready and share next steps.
Inviting & signing in
Step 8 — Invites in Certifier
Before inviting anyone into Certifier, assign them to the newly created app in Entra. One way to do it is through Users and groups → Add user/group → assign all users or groups who should access Certifier.
⚠️ Don’t forget: Users should be assigned in Entraslack before you invite them as team members in Certifier.
Only SSO users can be invited to SSO-enforced orgs.
Step 9 — User sign-in flow
Users will be able to sign in via Sign In with SSO in Certifier app login screen:
Click Continue with SSO to open your company’s login page. After you sign in, you’ll return to Certifier already signed in.
And we're done!
Quick reference (copy/paste)
Microsoft Entra → Basic SAML Configuration
Identifier (Entity ID): urn:amazon:cognito:sp:eu-west-1_OetDJugrc Reply URL (ACS): <https://auth.certifier.io/saml2/idpresponse> Relay State: (empty) Sign-on URL: (optional)
Microsoft Entra → User Attributes & Claims
NameID format: Email address NameID source: user.userprincipalname email = user.userprincipalname or user.email firstName = user.givenname lastName = user.surname
What to send to Certifier Support
App Federation Metadata URL (or metadata XML)
Troubleshooting tips
User can’t see Certifier? Make sure they’re assigned to the Certifier application in Entra.
Email/NameID mismatch? Verify if Name ID format and source are properly set for your organization.
Missing names? Confirm
givenname
andsurname
claims are present and they are filled for the given user in Entra.