Skip to main content
Skip table of contents

Azure Entra ID SSO

Azure Entra ID, formerly Azure Active Directory (Azure AD), is a cloud-based identity and access management (IAM) service that manages identities and permissions across cloud and on-premises environments. This guide explains how to configure SAML for Cloudaware in a customer’s Azure Enterprise Application and set up SSO.

Setup in Azure

  1. Sign in to the Azure Portal. Navigate to Enterprise Applications -> + New Application.

  2. Search for the Salesforce App in the Microsoft Entra Gallery. Enter a name for your app and select Create.

    Azure Entra ID SSO - setup in Azure - new application - Salesforce.png

  3. In the app’s ‘Overview’ section, select Set up single sign-on and click Get started.

    Azure Entra ID SSO - setup in Azure - click Set single sign on.png

  4. Choose SAML as the single sign-on method.

    Azure Entra ID SSO - setup in Azure - select SAML.png

  5. Specify the following values in Basic SAML Configuration:

    1. Identifier (Entity ID):
      https://<your_cloudaware_domain>.my.salesforce.com – this is part of the Cloudaware instance’s web address. The <your_cloudaware_domain> placeholder represents the unique Cloudaware instance ID

    2. Reply URL (Assertion Consumer Service URL):
      https://<your_cloudaware_domain>.my.salesforce.com – this is part of the Cloudaware instance’s web address. The <your_cloudaware_domain> placeholder represents the unique Cloudaware instance ID

    3. Sign-on URL:
      https://<your_cloudaware_domain>.lightning.force.com/CA10UI/lca.app – this is part of the Cloudaware instance’s web address. The <your_cloudaware_domain> placeholder represents the unique Cloudaware instance ID

    Azure Entra ID SSO - setup in Azure - basic SAML configuration.png


    Select Save.

    Attributes & Claims:

    By default, the Unique User Identifier (Name ID) is set to the user.userprincipalname Entra ID attribute. Adjust the value format if needed.

    Azure Entra ID SSO - setup in Azure - required claim.png


    If required, enable JIT provisioning in Cloudaware by creating the following claims in the Additional claims section:

    User.Username: Cloudaware runs on Salesforce, where usernames must be globally unique. Use the Join() transformation to specify the attribute value. For example:
    cloudaware-<user_email>

    Azure Entra ID SSO - setup in Azure - additional claims - User.Username.png

    User.FirstName: user.givenname
    User.LastName: user.surname
    User.ProfileId: Must match one of the Cloudaware profile names (for example, CloudAware Administrator, CloudAware User).

    Azure Entra ID SSO - setup in Azure - additional claims - User.ProfileId.png


    You can use claim conditions to assign the attribute value based on group membership. For example, if the user belongs to the Admins group → set to CloudAware Administrator.

    Azure Entra ID SSO - setup in Azure - additional claims - User.ProfileId - claim conditions.png


    User.Email: user.email
    User.IsActive (Optional): If automation is in place to deactivate users in Cloudaware after a defined period of inactivity (no logins), this attribute statement can be added and set to true. Doing so ensures that a deactivated user is reactivated and able to log in.

  6. Assign users or groups to the app.

    Azure Entra ID SSO - setup in Azure - assign users or groups.png


    Azure Entra ID SSO - setup in Azure - assign users or groups - select a role.png

When assigning an individual user, you will be prompted to select a role. Choose any role – the selection does not affect the actual Cloudaware role or profile.

  1. Download and save the Federation Metadata XML file. You can find it in the ‘Single sign-on’ section of your app.

    Azure Entra ID SSO - setup in Azure - download Federation Metadata XML.png

Setup in Cloudaware

  1. Log in to Cloudaware → Setup.

    Azure Entra ID SSO - setup in Cloudaware - setup.png

  2. Type Single in the Quick Find bar. Under Identity, select Single Sign-On Settings. Ensure that the SAML Enabled checkbox is checked.

    Azure Entra ID SSO - setup in Cloudaware - SAML Enabled.png


    Otherwise, click Edit, check the box and save the changes.

    By default, the Federation ID required for SSO setup is case-sensitive. If required, make the setting case-insensitive by selecting the Make Federation ID case-insensitive checkbox:

    Azure Entra ID SSO - setup in Cloudaware - Federation ID case sensitivity.png

  3. Create a new SSO setting. Click New from Metadata File, upload the XML file from Azure Entra ID, and click Create.

    Azure Entra ID SSO - setup in Cloudaware - click New from Metadata File.png

  4. Configure SAML Single Sign-On settings:

    • Set the SSO setting name and API name.

    • Choose SAML Identity Type.

    • If required, enable Just-in-time* User Provisioning and choose Standard for User Provisioning Type.
      *JIT requires selecting Assertion contains the Federation ID from the User Object as the SAML Identity Type.

      Azure Entra ID SSO - setup in Cloudaware - SAML Single Sign-On Settings.png


      Click Save.

  5. Configure Azure Entra as an authentication service. Type My domain in the Quick Find bar. Select My Domain. Scroll down to the Authentication Configuration section and click Edit.

    Select the checkbox near the name of the recently created SSO configuration (in this example, Entra):

    Azure Entra ID SSO - setup in Cloudaware - My domain - Authentication Configuration.png


    Click Save.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.