--- title: "How do I configure a SAML SSO with Microsoft Entra ID?" date: "2025-01-09T14:03:03+00:00" summary: "Streamline user authentication by configuring SAML SSO with Azure Active Directory for Acquia DAM. Follow our step-by-step guide to set up, manage, and integrate this powerful single sign-on solution seamlessly." image: type: "page" url: "/acquia-dam/how-do-i-configure-saml-sso-microsoft-entra-id" id: "e0e17058-1f99-4f49-b4c2-918bf5a5d652" --- Table of contents will be added Our [SAML SSO integration](/acquia-dam/there-sso-integration "Is there an SSO integration?") uses a self-setup model that allows you to set up, manage, and edit your SAML integration in the Acquia DAM. First, the SAML Integration feature must be enabled in Acquia DAM in order to configure SAML settings and set up SAML SSO with **Microsoft Entra ID (formerly Azure Active Directory)**. See our general SAML setup instructions for [how to enable the feature](/acquia-dam/how-do-i-set-saml-sso "How do I set up SAML SSO?").  Use the instructions below to integrate **Microsoft Entra ID** after the SAML feature is enabled.  Add Acquia DAM as a new enterprise application in Microsoft Entra ID -------------------------------------------------------------------- 1. Log in to your **Microsoft Entra ID** account. 2. Click **Enterprise applications** under the Manage panel. 3. Click **New application**. 4. Click **Create your own application**. 5. Enter a name for the application, such as Acquia DAM. 6. Set the “What are you looking to do with your application?” field to “Integrate any other application you don't find in the gallery (Non-gallery).” 7. Click **Create**. 8. On the new application page, go to **Single sign-on** under the Manage panel. 9. Select **SAML** as the single sign-on method to provision. 10. You should now see five sections to complete for the SAML SSO process. Find SAML settings in Acquia DAM -------------------------------- 1. Log in to your Acquia DAM. 2. Go to the **Admin app**, expand **Single Sign-On Settings**, and click on **SAML settings**. 3. You will need the information on the Service Provider (SP) tab for the next steps. Configure SAML settings ----------------------- **Service Provider info** The Issuer/Entity ID is a unique string that identifies the provider issuing a SAML request. It will display during AuthnRequests and within SP metadata. You can customize the end of the value. You can also edit the Name ID Format value. For the registration code field, select a SAML-specific registration code and save. If you have not set one up yet, learn [how to create registration codes](/acquia-dam/what-are-registration-codes "What are registration codes?"), then contact your account rep or DAM Customer Support to lock your code as SSO-only.    ![SAML Administration interface showing configuration options for Service Provider, including issuer, metadata, URLs, and registration code.](https://acquia.widen.net/content/c2a73ed5-6f28-4d04-990c-d5c8b194b616/web/ka0Pb0000006pB700N6g00000WDN1a0EM6g000005Lvh6.png) The remaining fields cannot be edited. You can export all of the information from the SP tab into a single file that you can upload into Microsoft Entra ID. To do this, select **Download** under SP Metadata from the SP tab, then navigate back to Microsoft Entra ID. Click **Upload metadata file** and select the file from your computer. You can also manually enter the SP information into Microsoft Entra ID instead. In Microsoft Entra ID, edit section one, Basic SAML Configuration, using the corresponding information in the SP tab of the Acquia DAM. ![Setup page for Single Sign-On with SAML, showing required and optional fields for configuration, including Identifier and Reply URL.](https://acquia.widen.net/content/f8e6f524-23ba-43b7-ba0e-ac931d59a7fb/web/ka0Pb0000006pB700N6g00000WDN1a0EM6g000005Lvh3.png) * Identifier (Entity ID): The ID can be found on the SP tab under Issuer/Entity ID. * Reply URL (Assertion Consumer Service URL): The URL can be found on the SP tab under Assertion Consumer Service URLs. If you have multiple URLs listed because you have a vanity URL, you may add both into Microsoft Entra ID but mark the vanity URL as the default. * Sign-on URL: The URL can be found on the SP tab under SP-Initiated URL. * Optionally, you may add the logout URL: The URL can be found on the SP tab under Logout Redirect URL. **Attributes** In section two, Attributes & Claims, under Required Claim, configure the Unique User Identifier (Name ID) to match the format of the Name ID Format found on the Acquia DAM SP tab. By default, email, first name, and last name attributes are required by the Acquia DAM. Add each of those attributes into Microsoft Entra ID, then select its respective value in the corresponding dropdown. The attribute names you create must match the names in the Attributes tab in the Acquia DAM SAML settings.   ![Attributes and claims table showing given name, surname, email address, and unique user identifier with corresponding user properties.](https://acquia.widen.net/content/95747c1b-164a-4742-a1e8-e34f0dce8145/web/ka0Pb0000006pB700N6g00000WDN1a0EM6g000005Lvh5.png) **Certificates** In section three, SAML Certificates, download the Certificate (Base64) file. Go to the Identity Provider (IdP) tab in the Acquia DAM SAML settings. In the Certificate Files section, upload the Certificate (Base64) file.  **Identity Provider info** In section four, Set up Acquia DAM test, copy the Login URL. Navigate to the Identity Provider (IdP) tab in the Acquia DAM SAML settings. Paste the URL in the Authorization Endpoint field. In the Support Email field, enter an email address users can contact if they have issues authenticating into the system. Click **Save**. In section five, Test single sign-on, test that SAML SSO is working by logging in through IdP-initiated authentication. To do this, click **Test** and sign in using a Microsoft Entra ID user account that has access to the Acquia DAM enterprise application. You can also test SP-initiated authentication by visiting the SP-initiated URL, found in the Acquia DAM SAML settings SP tab. We recommend testing it in an incognito window.  Finally, to add a button for SP-initiated login to your DAM login page, follow the instructions from our [SSO setup article](/acquia-dam/what-sso-setup-process "What is the SSO setup process?").