Skip to content
English
More support Customer portal Sign in
Contact us
  • There are no suggestions because the search field is empty.

Microsoft Entra ID SAML SSO

Single Sign-On configuration for Microsoft Entra ID, using SAML

This article describes how to prepare Microsoft Entra ID (formerly Azure Active Directory) as an Identity Provider (IdP) for Single Sign-On (SSO) with the Cydarm CIRM application. A Microsoft Entra ID administrator account is required to carry out the steps below. Once completed, you will have an IdP metadata XML file and an Entity ID value, both of which are needed to configure SSO on the Cydarm side.

For cloud-hosted instances, please log a support ticket and provide both the IdP metadata XML file and the Entity ID so we can configure your instance.

For on-prem installations, please see Configure SAML SSO for a Cydarm Instance.

After SSO setup has been completed, you will need to create user accounts for your SSO users.

Instructions

1. Create the enterprise application

  1. Sign in to the Azure portal using your Microsoft Entra ID administrator account.
  2. Click Microsoft Entra ID in the sidebar (this was previously labelled "Azure Active Directory").
  3. Click Add, then Enterprise application.
    1
  4. On the Browse Microsoft Entra App Gallery page, click Create your own application.
    3
  5. Provide a name for the application — for example, Cydarm for production, or Cydarm Staging for a non-production instance.
    4
  6. Select Integrate any other application you don't find in the gallery (Non-gallery).
  7. Click Create.

2. Assign users and groups

Assigning users up front is recommended so that the audience is in place before SSO is enabled.

  1. From the new application's overview page, click 1. Assign users and groups (or open Users and groups from the sidebar).
  2. Click Add user/group.
  3. Select the users or groups who should be able to sign in to Cydarm via SSO, then click Assign.

3. Begin Single Sign-On configuration

  1. From the application's overview page, click 2. Set up single sign on (or open Single sign-on from the sidebar).
  2. Select SAML as the sign-on method.
    5

4. Edit Basic SAML Configuration

Click Edit next to Basic SAML Configuration and set the following:

6

Identifier (Entity ID)

Enter a unique string that identifies this application. This value is what Cydarm refers to as the audience. Any unique string is acceptable — for example:

  • CydarmProduction
  • CydarmStaging

If you operate both production and staging environments, use distinct identifiers for each so they do not conflict within your tenant.

Important: Take note of the exact value you enter — you will need to provide it to Cydarm Support along with the metadata XML file.

Reply URL (Assertion Consumer Service URL)

Enter the FQDN of your Cydarm instance, with port 443 and the SAML auth path appended:

https://<your-cydarm-fqdn>:443/cydarm-api/auth/saml

For example: https://app.cydarm.com:443/cydarm-api/auth/saml

This is the URL that Entra ID will redirect users back to after they authenticate. Cydarm will validate the signed SAML assertion at this endpoint and complete the sign-in.

Other fields

The remaining fields in Basic SAML Configuration are not required:

  • Sign-on URL — leave blank.
  • Relay State — leave blank. Cydarm passes this automatically.
  • Logout URL — leave blank.

Click Save.

5. Verify Attributes & Claims

Click Edit next to Attributes & Claims. Hover over the Unique User Identifier (Name ID) claim value and confirm it is set to:

user.userprincipalname [nameid-format:emailAddress]

Recommendation: The user principal name should be the user's email address. Cydarm uses this value to match the SSO identity to a Cydarm user account, so a mismatch here will prevent sign-in.

The other default additional claims (emailaddress, givenname, name, surname) can be left as-is.

6. Download the Federation Metadata XML

Under SAML Certificates, click Download next to Federation Metadata XML.
7

This file contains the signing certificate(s) and claim configuration that Cydarm needs to validate authentication responses from Entra ID. Save it somewhere you can retrieve it for the next step.

Provide configuration to Cydarm

You will need two pieces of information from the steps above:

  • The Entity ID (also referred to as the audience) — the unique string you entered in step 4 (e.g. CydarmProduction).
  • The Federation Metadata XML file downloaded in step 6.

Cloud-hosted instances

Log a support ticket and attach the metadata XML file along with the audience value. A Cydarm engineer will use these to provision SAML SSO on your instance.

On-prem instances

Follow the directions in Configure SAML SSO for a Cydarm Instance, supplying the metadata XML as the IdP metadata and the audience value you set in step 4.

Related articles

  • Single Sign On configuration
  • API Examples
  • API Documentation
  • Enabling Multi-Factor Authentication (MFA, 2FA) for a user
  • Microsoft Sentinel Integration