Skip to main content
This guide will walk you through the process of configuring SAML-based single sign-on (SSO) for the Signals application within your Microsoft Entra ID tenant. This process involves creating a non-gallery enterprise application, configuring the necessary SAML parameters, and assigning users.

1. Create the Enterprise Application

Since Signals is not yet in the main Entra App Gallery, you will first need to create a new non-gallery application.
  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > Enterprise applications. Entra enterprise apps sidebar item
  3. Select + New application. Entra New Application button
  4. On the “Browse Microsoft Entra Gallery” page, select the + Create your own application button at the top. Entra Create Own Application
  5. A pane will appear on the right. In the “What’s the name of your app?” field, enter Signals.
  6. Select the option Integrate any other application you don’t find in the gallery (Non-gallery).
  7. Click Create. Please wait a moment while the application is created and added to your tenant. Entra Create New App Numerical Steps

2. Get Signals Service Provider Metadata

  1. Go to the Signals Identity Management page and keep this open in a separate tab.

3. Configure SAML Single Sign-On

Once the Signals application has been created, you will be taken to its overview page.
  1. In the Manage section of the left menu, select Single sign-on. Entra SSO Navbar
  2. On the “Select a single sign-on method” page, choose the SAML tile. This will open the SSO configuration page. Entra New Application Setup SSO Quickstart
  3. Scroll down to the SAML Certificates section and click Download next to the Federation Metadata XML button. Entra Download XML
  4. Go to the Signals Identity Management page and check “Upload XML Directly” then paste the contents of the Federation Metadata XML file into the text area labelled Metadata XML.

A. Basic SAML Configuration

These settings define where Signals sends and receives SAML messages.
  1. In the Basic SAML Configuration section, select the Edit (pencil) icon. Entra basic saml config edit
  2. Configure the following fields using values from Signals Identity Management page:
    • Identifier (Entity ID): Click Add identifier and enter the Entity ID / Issuer value from Signals Identity Management page.
    • Reply URL (Assertion Consumer Service URL): Click Add reply URL and enter the Assertion Consumer Service (ACS) URL.
    • Sign on URL: Enter the Signals SAML Login URL value.
  3. Select Save at the top of the pane. Entra basic saml config save

B. SAML Certificates

Signals automatically downloads and validates your Entra ID signing certificate from the federation metadata endpoint. No manual certificate upload is required on the Signals side.
  1. In the SAML Certificates section, ensure there is an active certificate
  2. Note the certificate details for troubleshooting purposes if needed

C. Configure User Attributes & Claims (Required)

⚠️ Important: The attribute names must match exactly what Signals expects or authentication will fail.
  1. In the Attributes & Claims section, select the Edit (pencil) icon.
  2. The Unique User Identifier (Name ID) should be set to user.userprincipalname by default, which is sufficient.
  3. Ensure the following Additional claims exist with these exact names. If not, select + Add new claim to create them:
    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Source: Attribute | Source attribute: user.mail
    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Source: Attribute | Source attribute: user.givenname
    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Source: Attribute | Source attribute: user.surname
  4. Select Save.

4. Configure Signals Environment

Signals automatically fetches your Entra ID configuration, but you need to ensure the following environment variables are set correctly:
  • SAML_TENANT_ID: Your Microsoft Entra tenant ID (found in the “Set up Signals” section as the Microsoft Entra Identifier)
  • SAML_CALLBACK_URL: Must match the Reply URL configured in step 3A
  • SAML_ISSUER_ID: Must match the Identifier configured in step 3A

5. Assign Users and Groups

By default, no one in your organization can use the new application. You must assign specific users or user groups who should have access to Signals.
  1. Navigate to your Signals enterprise application in Entra ID.
  2. In the Manage section of the left menu, select Users and groups.
  3. Select + Add user/group.
  4. Under Users, click “None Selected” and choose the appropriate users or groups from the list.
  5. Click Select and then Assign.
⚠️ Important: Users must have pending invites in the Signals system to successfully log in via SAML. See the User Invitation Guide for details on inviting users to Signals.

6. Test Single Sign-On

After configuration is complete and you have assigned users:
  1. On the Identity Management page, copy the Signals SAML Login URL and paste it into a new tab.
  2. Follow the prompts.
  3. If you have an invite pending to the email you’ve signed in with, and that email is assigned to the active directory, you should be redirected to the Signals new user onboarding.

7. Available SAML Endpoints

For reference, you can always check Signals SAML endpoints in the Identity Management page.

8. Troubleshooting

If you encounter issues, check these common configuration problems:
  • User Cannot Log In (Error AADSTS50105): This error means the user trying to sign in has not been assigned to the application. Follow the steps in the Assign Users and Groups section to grant them access.
  • “No pending invite found” Error: Users must have a pending invite in the Signals system. See the User Invitation Guide for details on inviting users to Signals.
  • Claim Mapping Errors: Verify that the user attribute claims in step 3C use the exact URIs specified. Incorrect claim names will cause authentication failures.
  • Entity ID Mismatch: Ensure the Identifier (Entity ID) in Entra ID exactly matches the entityID from your Signals metadata endpoint.
  • Redirect URI Mismatch: Ensure the Reply URL in Entra ID exactly matches the AssertionConsumerService location from your Signals metadata.
  • Certificate Validation Errors: Signals automatically downloads your Entra ID certificate. If issues persist, check that your Entra ID certificate is active and valid.
  • Logout Issues: Verify the Logout URL matches the SingleLogoutService location from your Signals metadata.
  • Session Management: Signals uses Redis for session storage. Logout requests will invalidate both the SAML session and the application session cookie.

9. Security Notes

  • Signals validates SAML assertions using your Entra ID’s signing certificate
  • All SAML requests from Signals are signed for security