> Connect Microsoft Entra ID (formerly Azure AD) as your SAML identity provider for Modelux. # SSO with Microsoft Entra ID Step-by-step Entra ID (formerly Azure AD) setup. Assumes you have **Cloud Application Administrator** (or Global Admin) in Entra and **admin** or **owner** in Modelux. If you haven't read the [SAML SSO overview](/docs/guides/sso), start there. ## 1. Collect Modelux SP details In a separate browser tab, open Modelux → **Settings → SSO** and keep these handy: - **SP Entity ID** - **Assertion Consumer Service URL** ## 2. Create an Enterprise Application 1. Go to the [Entra admin center](https://entra.microsoft.com/) → **Applications → Enterprise applications → New application**. 2. Click **Create your own application**. 3. Name it `Modelux`, pick **Integrate any other application you don't find in the gallery (Non-gallery)**, and click **Create**. ## 3. Enable SAML SSO 1. On the app's overview, click **Single sign-on → SAML**. 2. In the **Basic SAML Configuration** panel, click **Edit** and fill in: - **Identifier (Entity ID):** Modelux's **SP Entity ID** - **Reply URL (Assertion Consumer Service URL):** Modelux's **ACS URL** - Leave Sign on URL / Relay State / Logout URL blank - Save. ## 4. Configure attribute claims Entra ships reasonable defaults but they use the SAML 2.0 canonical URIs. Modelux reads those, so the defaults usually "just work." If you want to add friendlier names: 1. In the **Attributes & Claims** panel, click **Edit**. 2. Add these claims alongside the defaults: | Claim name | Source | Source attribute | | --- | --- | --- | | `email` | Attribute | `user.mail` | | `firstName` | Attribute | `user.givenname` | | `lastName` | Attribute | `user.surname` | | `displayName` | Attribute | `user.displayname` | Make sure the **Unique User Identifier (Name ID)** claim maps to `user.mail` (or `user.userprincipalname` if mail isn't populated for every user). ## 5. Copy Entra → Modelux In the **SAML Certificates** panel: - Download **Certificate (Base64)** — this is the PEM x509. In the **Set up Modelux** panel: | Entra field | Modelux field | | --- | --- | | *Microsoft Entra Identifier* (or Azure AD Identifier) | IdP Entity ID | | *Login URL* | IdP SSO URL | | *Certificate (Base64)* (contents of the downloaded file) | IdP certificate | In Modelux's **Identity provider** form, paste these values, set **Default role** to `member`, click **Test connection**, then **Save**. ## 6. Assign users Back in the Entra Enterprise app → **Users and groups → Add user/group**. Assign yourself and a test user. > Entra defaults to requiring user assignment. If you disable *User > assignment required* on the app's Properties panel, any licensed user > in your tenant can sign in — only do this if that's intentional. ## 7. Verify domain + test 1. In Modelux **Settings → SSO**, add your email domain. Publish the DNS TXT record at `_modelux.` and click **Verify**. 2. In an incognito window, sign in at [app.modelux.ai/login](https://app.modelux.ai/login) via **Use SAML SSO**. ## 8. Turn on enforcement Once verified, toggle **Require SAML for all members** in Modelux. ## SCIM provisioning To automate user lifecycle from Entra, see the [SCIM provisioning guide](/docs/guides/scim#microsoft-entra-id). ## Troubleshooting - **"AADSTS50105" — the signed-in user is not assigned to a role**: add the user under **Enterprise application → Users and groups**, or disable *User assignment required*. - **Cert errors in Modelux**: Entra exports the cert as a `.cer` file. Open it in a text editor — if it starts with `-----BEGIN CERTIFICATE-----`, paste it as-is. If it's binary (raw DER), download the **Certificate (Base64)** variant instead. - **Attributes not appearing**: by default Entra emits claims under the `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/...` URIs. Modelux reads those, so it should work without customization. If you overrode the defaults, make sure at least one of the email claims in the [attribute mapping table](/docs/guides/sso#attribute-mapping) is present.