Single Sign-On with Microsoft Entra ID (SAML)

About Microsoft Entra ID SAML Integration

Microsoft Entra ID SAML integration in Iru Endpoint lets you set up SAML-based SSO integration with Microsoft Entra ID for users accessing Iru Endpoint through their Microsoft Entra ID credentials.

How It Works

When users attempt to access Iru Endpoint, they’re redirected to Microsoft Entra ID for authentication. After successful authentication, Microsoft Entra ID sends a SAML assertion back to Iru Endpoint, which validates the user’s identity and grants access. SSO can be used for Iru Endpoint Web App sign-in and for Require Authentication with Automated Device Enrollment.

Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)

Iru Web App Configuration
Microsoft Entra ID Configuration

Setting Up the SAML Connection

You’ll need to complete the initial setup in Iru Endpoint first to get the configuration information required for Microsoft Entra ID. After copying the Entity ID and ACS URL, switch to the Microsoft Entra ID Configuration tab and continue with Configuring Microsoft Entra ID Application.

Navigate to the Account Menu Button

In Iru Endpoint, in the sidebar, click the Account Menu Button.

Access Authentication Settings

Click the Access option in the menu.

Screenshot of the account menu with Access option highlighted

Select Admin and Authentication

Select the Admin and authentication tab (selected by default) and scroll down to Authentication methods.

Add Authentication Method

Click + Authentication method.

Enter Display Name

Enter a display name for the SSO Connection.

Select Authentication Method

Select SAML for the Authentication method.

Create Connection

Click Create.

Configuration Information

Click Configuration information if that section is not already expanded.

Copy Service Provider Entity ID

Copy the Service provider entity ID into a text document for later use. You’ll need this for the Entra ID configuration.

Copy ACS URL

Copy the Assertion consumer service (ACS) URL into a text document for later use. You’ll need this for the Entra ID configuration.

Configuration Information, Service provider entity ID, and Assertion consumer service (ACS) URL

Keep Tab Open

Keep the Iru Endpoint configuration modal open, then switch to the Microsoft Entra ID Configuration tab to continue with Configuring Microsoft Entra ID Application.

Configuring Iru Endpoint SAML Connection

After completing the Microsoft Entra ID configuration, return here to finish Configuring Iru Endpoint SAML Connection in Iru Endpoint. You’ll need the Single Sign-on URL, IdP Entity ID, and certificate from Microsoft Entra ID.

Return to Iru Endpoint

Go back to the Custom SAML modal in Iru Endpoint.

Configure IdP Attribute

Set IdP attribute to Subject.

Configure Attribute Name

Leave Attribute name blank.

Configure User Attribute

Set User attribute to User Principal Name (UPN).

Add IdP Entity ID

Paste the Microsoft Entra Identifier you copied earlier into the IdP Entity ID field.

Add Sign In URL

Paste in the Sign In URL you copied from Entra ID.

Upload Certificate

Upload the certificate you downloaded from Entra ID.

Set Protocol Binding

Set the Protocol Binding to HTTP-POST.

Set Request Algorithm

Ensure that the Request Algorithm is set to RSA-SHA256.

Set Digest Algorithm

Ensure that Sign Request Algorithm Digest is set to SHA256.

Enable Sign Request

Ensure that Sign Request is enabled.

Set Response Signature Verification

Set the Response Signature Verification to Assertion.

Set Destination

Leave the Destination field blank.

Set Allowed Signature Algorithm

Set Allowed Signature Algorithm to RSA-SHA256.

Set Allowed Digest Algorithm

Set Allowed Digest Algorithm to SHA256.

Save Configuration

Click Save.

Iru Endpoint Save for SAML configuration

Allow for Tenant Authentication

Once you have configured the SAML connection in Iru Endpoint and your identity provider, you can allow its use for tenant authentication. For step-by-step instructions, please refer to the Allowing Tenant Authentication and Managing Connections section in our Single Sign-on support article.

Limit Authentication to Domain

When configuring the SAML connection, you can optionally limit authentication to one or more domains. This can be useful when the SSO connection could authenticate to multiple domains. You can limit the authentication to your Iru tenant to a subset of the available domains.

Enforcing Single Sign-On

Once you have configured at least one Single Sign-on connection, you can disable Passkey, Google Social, and Microsoft Social connections. Disabling these connections will disable the ability for Iru Endpoint administrators in your tenant to authenticate via those methods. Please refer to our Single Sign-on support article for step-by-step instructions.

Considerations

Security: Ensure that your Microsoft Entra ID tenant has appropriate security policies configured for SSO authentication.User Management: Users must exist in both Microsoft Entra ID and Iru Endpoint to successfully authenticate via SSO.Testing: Always test the SSO integration with a small group of users before rolling out to your entire organization.

Testing the Integration

Add User to Admin Team

Add a user to the Admin Team in Iru Endpoint by clicking New User.

Fill User Information

Fill in all of the corresponding user information. This user must exist in Microsoft Entra ID and must be assigned to the Iru Endpoint SSO app in your Microsoft Entra ID tenant.

Submit User

Click Submit.

Close Invite Window

Once the invite is submitted, close the Invite User window.

Refresh Access Page

Refresh the Access page in Iru Endpoint. You should see the user you just added.

Test SSO Login

Check the user’s email to accept the invitation and log into Iru Endpoint with the new SAML SSO connection.

Before starting the Microsoft Entra ID configuration, complete Setting Up the SAML Connection in the Iru Web App Configuration tab to get the Service Provider Entity ID and ACS URL. You’ll need these values to configure the Microsoft Entra ID application.

Configuring Microsoft Entra ID Application

Access Microsoft Entra Admin Center

Expand Entra ID Section

In the left navigation bar, ensure that the Entra ID section is expanded.

Navigate to Applications

In the left navigation bar, click Enterprise apps.

Create New Application

Select + New application.

Entra ID Enterprise apps New application

Create Custom Application

Select Create your own application.

Name the Application

Give the application a name.

Select Non-Gallery Option

Select Integrate any other application you don’t find in the gallery (Non-gallery).

Create Application

Click Create.

Access Single Sign-On

Under Manage, select Single sign-on.

Select SAML

Select the SAML tile.

Edit Basic Configuration

Click the Edit pencil in the Basic SAML configuration box

Configure Entity ID

Click the Add Identifier link in the Identifier (Entity ID) section. Paste the Entity ID that you copied earlier into the Identifier (Entity ID) field.

Configure Reply URL

In the Reply URL (Assertion Consumer Service URL) section, paste the Assertion Consumer Services URL that you copied earlier.

Save Configuration

Click Save.

Close Configuration

Click the X at the top right of the pane to close it.

Entra ID Identifier and Reply URL Save and close

Keep Default Claims

Leave the settings in the Attributes & Claims section set to their default.

Download Certificate

Click Download to download the Base 64 certificate in the SAML Certificates section. This certificate will be used in the Custom SAML configuration in Iru Endpoint.

Copy URL

In the Set up [App Name] section, copy the Login URL and paste it into a secure text document for later use.

Copy Microsoft Entra Identifier

Copy the Microsoft Entra Identifier and save it in a text document. You will paste this into the IdP Entity ID field in Iru Endpoint. You can find this in the Overview section of your application.

Entra ID Set up section Login URL and Microsoft Entra Identifier

Navigate to App Registrations

Go to App registrations.

Select Your App

Select your newly created app.

Navigate to Token Configuration

Navigate to the Token configuration section under Manage.

Add Optional Claims

Click + Add optional claims.

Check ID Button

Check the ID radio button.

Check Acct Box

Check the acct box.

Check Email Box

Check the email box.

Check UPN Box

Check the upn box.

Click Add

Click Add.

Entra ID Optional claims ID acct email upn Add

Accept API Permissions

Check the Turn on the Microsoft Graph email, profile permission (required for claims to appear in token) box.

Click Add

Click Add.

The Microsoft Entra Identifier is used in the Iru configuration as the IdP Entity ID.

Assigning Users and Groups

Navigate to App

In Enterprise apps navigate to your newly created app.

Access Users and Groups

Under Manage, select Users and Groups.

Add User/Group

On the menu, select Add user/group.

Entra ID Users and Groups Add user or group

Select Users and Groups

On the Add Assignment dialog, select the link under Users and groups.

Entra ID Add Assignment Users and groups link

Search and Select Users

A list of users and security groups is displayed. You can search for a certain user or group, as well as select multiple users and groups that appear in the list.

Confirm Selection

After you have selected your users and groups, select Select.

Entra ID Select users and groups then Select

Assign Users and Groups

Select Assign to finish assigning users and groups to the app.

Entra ID Assign to finish assigning users and groups

Verify Assignment

Confirm that the users and groups you added appear in the Users and groups list.

Entra ID Users and groups list showing assigned users

Do Not Require Assignment

Alternatively, if you don’t want to assign users and groups, you can set the app to not require assignment.

Navigate to Enterprise App

Navigate to your newly created app in Enterprise apps.

Click Properties

Click Properties under Manage.

Set Assignment Required

Set Assignment required? to No.

Click Save

Click Save.

Entra ID Properties Assignment required No Save

If you see a message about free tier limitations, it means that a free tier is being used. The Single Sign-On Enterprise App lets you add users (not groups) only.

After completing the Microsoft Entra ID configuration, return to the Iru Web App Configuration tab to finish setting up the SAML connection using the SSO URL, Entity ID, and certificate you copied from Microsoft Entra ID.

​About Microsoft Entra ID SAML Integration

​How It Works

​Setting Up the SAML Connection

​Configuring Iru Endpoint SAML Connection

​Allow for Tenant Authentication

​Limit Authentication to Domain

​Enforcing Single Sign-On

​Considerations

​Testing the Integration

​Configuring Microsoft Entra ID Application

​Assigning Users and Groups

About Microsoft Entra ID SAML Integration

How It Works

Setting Up the SAML Connection

Configuring Iru Endpoint SAML Connection

Allow for Tenant Authentication

Limit Authentication to Domain

Enforcing Single Sign-On

Considerations

Testing the Integration

Configuring Microsoft Entra ID Application

Assigning Users and Groups