[view as .md]

SSO with Microsoft Entra ID

Step-by-step Entra ID (formerly Azure AD) setup. Assumes you have Cloud Application Administrator (or Global Admin) in Entra and admin or owner in Modelux.

If you haven’t read the SAML SSO overview, start there.

1. Collect Modelux SP details

In a separate browser tab, open Modelux → Settings → SSO and keep these handy:

  • SP Entity ID
  • Assertion Consumer Service URL

2. Create an Enterprise Application

  1. Go to the Entra admin centerApplications → Enterprise applications → New application.
  2. Click Create your own application.
  3. Name it Modelux, pick Integrate any other application you don’t find in the gallery (Non-gallery), and click Create.

3. Enable SAML SSO

  1. On the app’s overview, click Single sign-on → SAML.
  2. In the Basic SAML Configuration panel, click Edit and fill in:
    • Identifier (Entity ID): Modelux’s SP Entity ID
    • Reply URL (Assertion Consumer Service URL): Modelux’s ACS URL
    • Leave Sign on URL / Relay State / Logout URL blank
    • Save.

4. Configure attribute claims

Entra ships reasonable defaults but they use the SAML 2.0 canonical URIs. Modelux reads those, so the defaults usually “just work.” If you want to add friendlier names:

  1. In the Attributes & Claims panel, click Edit.
  2. Add these claims alongside the defaults:
Claim nameSourceSource attribute
emailAttributeuser.mail
firstNameAttributeuser.givenname
lastNameAttributeuser.surname
displayNameAttributeuser.displayname

Make sure the Unique User Identifier (Name ID) claim maps to user.mail (or user.userprincipalname if mail isn’t populated for every user).

5. Copy Entra → Modelux

In the SAML Certificates panel:

  • Download Certificate (Base64) — this is the PEM x509.

In the Set up Modelux panel:

Entra fieldModelux field
Microsoft Entra Identifier (or Azure AD Identifier)IdP Entity ID
Login URLIdP SSO URL
Certificate (Base64) (contents of the downloaded file)IdP certificate

In Modelux’s Identity provider form, paste these values, set Default role to member, click Test connection, then Save.

6. Assign users

Back in the Entra Enterprise app → Users and groups → Add user/group. Assign yourself and a test user.

Entra defaults to requiring user assignment. If you disable User assignment required on the app’s Properties panel, any licensed user in your tenant can sign in — only do this if that’s intentional.

7. Verify domain + test

  1. In Modelux Settings → SSO, add your email domain. Publish the DNS TXT record at _modelux.<your-domain> and click Verify.
  2. In an incognito window, sign in at app.modelux.ai/login via Use SAML SSO.

8. Turn on enforcement

Once verified, toggle Require SAML for all members in Modelux.

SCIM provisioning

To automate user lifecycle from Entra, see the SCIM provisioning guide.

Troubleshooting

  • “AADSTS50105” — the signed-in user is not assigned to a role: add the user under Enterprise application → Users and groups, or disable User assignment required.
  • Cert errors in Modelux: Entra exports the cert as a .cer file. Open it in a text editor — if it starts with -----BEGIN CERTIFICATE-----, paste it as-is. If it’s binary (raw DER), download the Certificate (Base64) variant instead.
  • Attributes not appearing: by default Entra emits claims under the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/... URIs. Modelux reads those, so it should work without customization. If you overrode the defaults, make sure at least one of the email claims in the attribute mapping table is present.