Configuring SSO with Microsoft Entra ID (Azure AD)

This guide covers setting up SSO with Microsoft Entra ID using either SAML or OIDC protocols.

Prerequisites

Global Administrator or Application Administrator role in Azure AD
Completed Step 1 from the main SSO setup guide
Your Fluint callback URL: https://app.fluint.io/auth/sso-callback

Option 1: SAML Configuration (Recommended)

Step 1: Create Enterprise Application

Sign in to the Azure Portal
Navigate to Azure Active Directory > Enterprise applications
Click New application
Click Create your own application
Enter name: Fluint
Select Integrate any other application you don't find in the gallery
Click Create

Step 2: Configure Single Sign-On

In your new Fluint application, go to Single sign-on
Select SAML
Click Edit on Basic SAML Configuration

Step 3: Basic SAML Configuration

Identifier (Entity ID): https://app.fluint.io

Reply URL (Assertion Consumer Service URL): https://app.fluint.io/auth/sso-callback

Sign on URL: https://app.fluint.io/login (optional)

Relay State: Leave blank

Logout URL: https://app.fluint.io/logout (optional)

Click Save

Step 4: Configure User Attributes & Claims

Edit the User Attributes & Claims section:

Required claim:

Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Source: Attribute
Source attribute: user.mail

Additional claims (optional):

Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Source attribute: user.givenname
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Source attribute: user.surname

Step 5: Get Configuration Details

From the SAML Signing Certificate section:

Download the Federation Metadata XML
Or copy these individual values:
- Login URL
- Azure AD Identifier
- Certificate (Base64)

Step 6: Assign Users

Go to Users and groups
Click Add user/group
Select users or groups who should access Fluint
Click Assign

Option 2: OIDC Configuration

Step 1: Register Application

In Azure Portal, go to Azure Active Directory > App registrations
Click New registration
Configure:
- Name: Fluint
- Supported account types: Accounts in this organizational directory only
- Redirect URI: Web - https://app.fluint.io/auth/sso-callback

Step 2: Configure Authentication

Go to Authentication
Under Redirect URIs, ensure https://app.fluint.io/auth/sso-callback is listed
Under Implicit grant and hybrid flows, check ID tokens
Click Save

Step 3: Create Client Secret

Go to Certificates & secrets
Click New client secret
Add description: Fluint SSO
Choose expiration period
Click Add
Important: Copy the secret value immediately (it won't be shown again)

Step 4: Configure API Permissions

Go to API permissions
Ensure these Microsoft Graph permissions are granted:
- openid (delegated)
- profile (delegated)
- email (delegated)
- User.Read (delegated)

Step 5: Get Configuration Details

From the Overview page, note:

Application (client) ID
Directory (tenant) ID
Client secret (from Step 3)

Complete Setup in Fluint

For SAML:

IdP SSO URL: Login URL from Azure AD
IdP Entity ID: Azure AD Identifier
X.509 Certificate: Certificate from Azure AD (Base64 format)

For OIDC:

Client ID: Application (client) ID
Client Secret: The secret you created
Issuer URL: https://login.microsoftonline.com/{tenant-id}/v2.0
Authorization URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
Token URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
UserInfo URL: https://graph.microsoft.com/oidc/userinfo

Replace {tenant-id} with your Directory (tenant) ID

Testing Your Configuration

Follow the testing steps from the main guide
Verify users are redirected to Microsoft login page
Confirm successful authentication returns them to Fluint

Troubleshooting Azure AD

Common issues:

Conditional Access policies may block access - Check your CA policies
User not assigned - Ensure users are assigned to the Fluint application
Wrong tenant - Verify you're configuring in the correct Azure AD tenant

Next Steps

Test your SSO configuration →