Configure Single Sign On with Azure Active Directory (Microsoft Entra ID)

TABLE OF CONTENTS

• Step 1 – Create and configure a SAML application in Azure AD
• Step 2 – Add users in Azure AD and Atlas
• Step 3 – Configure Single Sign On in Atlas
• Step 4 – Test the connection
• Troubleshooting tips

Step 1 – Create and configure a SAML application in Azure AD

1. Sign in to the Microsoft Entra admin center

   • Open the Microsoft Entra admin center in your browser.

   • Sign in with an account that has at least the Cloud Application Administrator or Application Administrator role.

2. Create or open the enterprise application for Atlas 

   • In the left-hand navigation, go to Entra ID → Enterprise applications.

   • Create a new enterprise application for Atlas, or open the existing Atlas application if it is already set up.

   • From the application overview page, select Single sign-on.

   • On the Select a single sign-on method page, choose SAML.

3. Configure basic SAML settings with Atlas values 

   • On Set up single sign-on with SAML, edit the Basic SAML Configuration section.

   • In Identifier (Entity ID), enter the Atlas Audience / Entity ID from the Atlas SSO configuration wizard.

   • In Reply URL (Assertion Consumer Service URL), enter the Atlas Single Sign On URL from the wizard.

   • If needed, configure any additional URLs (for example, a Sign-on URL) based on your internal Atlas setup.

   • Save the Basic SAML configuration.
     
     Important: Do not use generic examples from other guides. Always use the exact values generated for your Atlas environment.
     
     

4. Download federation metadata, certificate, and URLs 
   • Still on Set up single sign-on with SAML, locate the SAML Signing Certificate or App Federation Metadata URL section.
   • Download the certificate and copy the metadata / endpoint URLs that Atlas requires (for example, the Azure IdP sign‑in URL and logout URL).
   • Keep these details handy—you will paste them into Atlas in the next step.

Step 2 – Add users in Azure AD and Atlas

1. Add and assign users in Azure AD

   • In the Microsoft Entra admin center, go to Entra ID → Users to create or confirm the accounts that will sign in to Atlas.

   • Return to Enterprise applications, open the Atlas enterprise application, and assign the relevant users or groups so they can use SSO.

2. Add the same users in Atlas 
   • In Atlas, open the user management area.
   • Create or confirm user accounts that match the identifiers used in Azure AD (email address, or username for non‑email users).
   • Make sure these identifiers match exactly between Azure and Atlas so that SSO can map users correctly.

Step 3 – Configure Single Sign On in Atlas

1. Configuration name and protocol
   • Enter a clear configuration name, for example:

     “Azure Active Directory (Microsoft Entra ID) Single Sign On”.

   • Select SAML 2.0 (or the equivalent option) as the protocol, matching what you configured in Azure.

2. Atlas Single Sign On endpoints
   • In the wizard step labelled Atlas Single Sign On endpoints, review the values displayed (Single Sign On URL and Audience URI / Entity ID).
   • Confirm that these values match what you entered in Azure for Identifier (Entity ID) and Reply URL.
3. Identity provider configuration (Azure metadata, certificate, URLs)
   • In the appropriate step of the Atlas wizard, paste the Azure identity provider details you collected earlier:

     • Federation / identity provider metadata

     • Certificate

     • Sign-in URL (and logout URL, if applicable)

   • Save the step after entering all required values.
4. User attribute mapping   
   • Atlas uses several steps in the wizard for attribute mapping. Follow the prompts to map Azure claims to Atlas user fields:

     • Map the claim containing the email address to the Atlas email field.

     • Map the claim containing the first name to the Atlas first name field.

     • Map the claim containing the last name to the Atlas last name field.

   • Phone number is not required and can be left unmapped.

     After you complete all attribute mappings, ensure the configuration saves without errors.

Step 4 – Test the connection

Run the test from Atlas

• On the Atlas Single Sign On configuration page for Azure AD (Microsoft Entra ID) , select Test connection.

• Atlas will redirect you to the Azure sign-in page.

Expected behaviour

• You are redirected to the Azure sign-in page.

• You can successfully sign in with a user who has been assigned to the Atlas application in Azure .

• After successful authentication, you are redirected back to Atlas.

• Atlas shows a confirmation that the connection test was successful.

Troubleshooting tips

If the connection test fails:

• Confirm that Identifier (Entity ID) and Reply URL in Azure exactly match the values shown in the Atlas Single Sign On endpoints step.

• Check that the user is assigned to the Atlas enterprise application in Azure and that the same user exists in Atlas with matching identifiers.

• Verify that the SAML attribute names / claims for email, first name, and last name in Azure match the mappings you configured in Atlas.

• Review any error messages in Atlas and in the Microsoft Entra sign‑in logs to identify where the problem is.

• If you still cannot resolve the issue, submit a ticket with:

  • A description of the steps you followed, and

  • Any error messages or log details you received.