> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hanko.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up SAML SSO with Microsoft Entra
> Learn how to set up enterprise connections in Hanko for customers using Microsoft Entra as SAML identity provider.
**Hanko Microsoft Entra SAML Integration Guide**:
**About Hanko**:
Hanko is a modern open source authentication solution and the fastest way you integrate passkeys, 2FA, SSO, and more—with full control over your data. Move between self-hosted and Hanko Cloud anytime. No lock-in. Just Auth how it should be: secure, user friendly, and fully yours.
**What This Guide Covers**: This guide demonstrates how to configure Microsoft Entra ID (formerly Azure AD) as a SAML identity provider for your Hanko project, enabling seamless single sign-on authentication for enterprise users.
**Key Technologies**:
* SAML 2.0
* XML digital signatures
* Microsoft Entra ID
* Azure Active Directory
* SAML assertions
**Prerequisites**:
* Active Microsoft Entra account
* Hanko Cloud project
* Basic understanding of SAML authentication protocols
* Admin access to both Microsoft Entra and Hanko Cloud dashboards
**Tasks You'll Complete**:
* Create custom enterprise application in Microsoft Entra
* Configure SAML single sign-on settings
* Set up entity ID and ACS URL configuration
* Configure attribute mapping for email claims
* Assign users to the application
* Create enterprise connection in Hanko Cloud
* Test integration using IdP-initiated flow
## Prerequisites
You need your project's SAML Assertion Consumer Service (ACS) URL and the Service Provider (SP) Entity ID.
### Service Provider Entity ID
The SP Entity ID for your Hanko project is equal to the API URL of your project.
To find the API URL for your project:
1. Log in to [Hanko Cloud](https://cloud.hanko.io) and select your project.
2. Navigate to `Dashboard`.
3. Copy and save the `API URL`.
### Service Provider ACS URL
To find the Assertion Consumer Service (ACS) URL for your project:
1. Log in to [Hanko Cloud](https://cloud.hanko.io) and select your project.
2. Navigate to `Settings > Enterprise connections`.
3. Under `Enterprise connections` find the `Redirect URL` panel.
4. Copy and save the URL.
## Create a Microsoft Entra application
1. Sign up or sign in with [Microsoft Entra](https://entra.microsoft.com/).
2. Once you're logged in, select `Identity > Applications > Enterprise Applications` in the left sidebar.
3. Click `New Application`. This will open the `Microsoft Entra Gallery`.
4. In the `Microsoft Entra Gallery`, click `Create your own appplication`.
5. Give your application a name.
6. Select `Integrate any other application you don't find in the gallery (Non-gallery)`.
7. Click `Create` to create the application.
8. Once your app is created, select `Single sign-on` in the application sidebar.
9. Select `SAML` as the SSO method.
10. Find the `Basic SAML configuration` panel and click `Edit`.
11. Under `Identifier (Entity ID)` click `Add identifier` and enter you project API URL
(see [Prerequisites - Service Provider Entity ID](#service-provider-entity-id)).
12. Under `Reply URL (Assertion Consumer Service URL)` click `Add reply URL` and enter your ACS URL
(see [Prerequisites - Service Provider ACS URL](#service-provider-acs-url)).
13. Click `Save`.
14. In the `SAML Certificates` panel, find the `App Fedration Metadata Url` and copy it. You need this for
configuring the enterprise connection with Hanko.
### Attribute mapping
SAML SSO integration with Hanko requires an email address attribute in the IdP's SAML response. To ensure this attribute is present:
1. In your application's `Single sign-on` configuration, find the `Attributes & Claims` panel and click `Edit`.
2. There should be `Additional Claims` listed that have been added to your application per default. Find the claim that
maps the Entra user's `user.email` property and click it.
3. Ensure that the `Name` is equal to `emailaddress` and the `Namespace` is equal
to `http://schemas.xmlsoap.org/ws/2005/05/identity/claims`.
4. If your users do not have an email set for the `user.email` property, choose a different source for the
mapping. Note that the email address value present in this attribute is used to
[provision and link accounts](/guides/enterprise-sso/introduction#account-provisioning-and-linking).
This means that any new accounts created at your Hanko project will use this email address value and any existing
accounts in your Hanko project will be linked via this email address value.
### Assign users to your application
To enable users to log in, you need to assign users to the application.
1. Select `Identity > Applications > Enterprise Applications` in the left sidebar.
2. Select your application, then select `Manage > Properties`.
3. Ensure that your application is enabled for users to sign-in.
4. Choose whether user assignment is required for this app. If set to `No`, all users will be able to sign in.
5. Choose whether this app is visible to users. If this option is set to yes, then assigned users will see the
application on `My Apps` in their profile and the O365 app launcher.
6. If you selected `Yes` in step 4, then select `Manage > Users and groups`.
7. Click `Add user/group`.
8. Under `Users`, click `None selected`/`X user selected`.
9. Select the users you want to assign.
10. Click `Select`.
## Configure an enterprise connection
1. Log in to [Hanko Cloud](https://cloud.hanko.io) and select your project.
2. Navigate to `Settings > Enterprise connections`.
3. Under `Connections`, click `New connection`.
4. In the shown modal provide the following data:
* A `Name` for the connection.
* A `Domain` for the connection. When users authenticate via SAML SSO, the domain of the email
address provided as an identifier at the start of an authentication flow must match the domain configured here.
* A `Metadata URL`. This is the URL you copied in step 14 in [Create a Microsoft Entra application](#create-a-microsoft-entra-application).
* Select whether you want skip email verification for this provider.
5. Click `Save` to create the connection.
## Testing your integration
To test your integration via [IdP-initiated](/guides/enterprise-sso/introduction#identity-provider-initiated-sso)
flow:
1. Navigate to the `Single sign-on` configuration for your application (see step 8 in [Create a Microsoft Entra application](#create-a-microsoft-entra-application)).
2. Find the `Test single sign-on with My App` panel and click the `Test`.
