How do I configure Single Sign-On with Azure Active Directory?

You'll need:

• An Azure Active Directory tenant (Microsoft Entra ID) with permissions to configure enterprise applications and Single Sign-On

• Access to Atlas with permission to configure Single Sign-On

• The Atlas Single Sign-On configuration page open in a separate browser tab — you'll be copying values between the two

1. Go to the Microsoft Entra admin center in your browser.

2. Sign in with an account that has the Cloud Application Administrator or Application Administrator role.

3. In the left-hand navigation, go to Entra ID → Enterprise applications.

4. Create a new enterprise application for Atlas (or open an existing one).

5. From the application overview, select Single sign-on.

6. On the Select a single sign-on method page, choose SAML.

7. On the Set up single sign-on with SAML page, edit the Basic SAML Configuration section.

8. In Identifier (Entity ID), enter the Atlas Audience / Entity ID from the Atlas wizard.

9. In Reply URL (Assertion Consumer Service URL), enter the Atlas Single Sign-On URL from the Atlas wizard.

10. Configure any additional URLs if required by your Atlas administrator.

11. Save the basic SAML configuration.

⚠️ Important: Always use the exact values from your Atlas environment — not example values from other documentation.

12. On the Set up single sign-on with SAML page, find the SAML Signing Certificate or App Federation Metadata URL section.

13. Download the certificate and copy the metadata URL or endpoint URLs that Atlas requires.

14. Keep these handy — you'll paste them into Atlas shortly.

15. In the Microsoft Entra admin center, go to Entra ID → Users to create or confirm the accounts for users who will sign in to Atlas.

16. Go back to Enterprise applications, open the Atlas application, and assign the relevant users or groups so they can use Single Sign-On.

17. In Atlas, open the user management area.

18. Create or confirm accounts for the same users, making sure their email addresses match exactly what's in Azure.

💡 Tip: User identifiers must match between Azure and Atlas for Single Sign-On to work correctly.

Open the Single Sign-On configuration page in Atlas and follow the wizard.

19. Enter a Configuration name — for example, Azure Active Directory Single Sign-On.

20. Select SAML 2.0 as the protocol.

21. In the Atlas Single Sign-On endpoints step, review the values shown (Single Sign-On URL and Audience / Entity ID).

22. Confirm these match the Identifier (Entity ID) and Reply URL you set in Azure.

In the relevant step of the Atlas wizard, paste the Azure details you collected earlier:

• Federation metadata or identity provider metadata

• Certificate

• Sign-in URL (and logout URL if applicable)

23. Save the configuration step.

In the attribute mapping steps, connect Azure claims to Atlas user fields:

• Email address → Atlas email field

• First name → Atlas first name field

• Last name → Atlas last name field

• Phone number — optional, can be skipped

24. Confirm all required mappings are complete and save without errors.

25. In Atlas, select Test connection on the Single Sign-On configuration page.

26. Atlas will redirect you to the Azure sign-in page for your tenant.

You've set things up correctly if:

• You're redirected to the Azure sign-in page

• You can sign in with a user assigned to the Atlas enterprise application

• After signing in, you're redirected back to Atlas

• Atlas shows a confirmation that the connection was successful

If the connection test fails, check the following:

• The Identifier (Entity ID) and Reply URL in Azure exactly match the values shown in the Atlas Single Sign-On endpoints step.

• The user is assigned to the Atlas enterprise application in Azure and exists in Atlas with a matching identifier.

• The SAML attribute names and claims for email, first name, and last name in Azure match the mappings in Atlas.

• Review any error messages in Atlas or the Microsoft Entra sign-in logs for further detail.

If you're still stuck, contact your internal administrator or reach out to Atlas support — include a description of what you've tried and any error messages you've seen.