# Entra ID ### SAML 2.0 SSO Setup #### Prerequisites Before configuring SAML 2.0, ensure you have admin access to both the Microsoft Entra admin center and your Natoma instance with Admin permissions. #### Supported Features * SP-initiated SSO (Single Sign-On) * IdP-initiated SSO * Just-In-Time provisioning #### Attribute Statements In Entra ID the following SAML claim must be added: | Name | Value | | ------- | ----------- | | `email` | `user.mail` | Make the name of the claim **email**, leave the source as **Attribute** and from the source attribute dropdown select **user.mail** & save #### Setup Instructions **Enable SAML in Natoma** 1. In Natoma, navigate to **Admin Settings** and toggle **SAML 2.0** on. 2. Ensure the following two toggles are disabled: * **Request signed Assertions from the IdP?** — Disabled * **Request signed Authentication Response from the IdP?** — Disabled **Create the Application in Entra** 1. Sign into the [Microsoft Entra admin center](https://entra.microsoft.com). 2. Navigate to **Enterprise Applications** → **Add a new application** → **Create your own Application**. 3. Name your application, select **Integrate any other application you don't find in the gallery (Non-gallery)**, and save. **Configure Single Sign-On** 1. Navigate to **Single sign-on** in the left-hand nav of the app and select **SAML**. 2. Edit the **Basic SAML Configuration** and copy & paste the values from Natoma into the appropriate fields. **Configure Attribute Claims** 1. Edit the **Attributes & Claims** section and click **Add new claim**. 2. Set the **Name** to `email`, leave **Source** as **Attribute**, and select `user.mail` from the **Source attribute** dropdown. 3. Save the claim. **Copy Metadata URL to Natoma** 1. Navigate back to the **SAML-based Sign-on** screen using the breadcrumbs at the top. 2. Copy the **Metadata URL** from the **SAML Certificates** section. 3. Paste the Metadata URL into Natoma. 4. Ensure both toggles remain disabled (as set in Step 1). **Test and Save** Click **Test Connection** and **Save**. This will log you out and back in via SAML. *** ### SCIM Provisioning Setup SCIM (System for Cross-domain Identity Management) enables continuous synchronization of users between Microsoft Entra and Natoma, providing automated user lifecycle management. #### Prerequisites {% hint style="info" %} SAML SSO must be fully configured and tested before enabling SCIM provisioning. {% endhint %} #### Supported Features * Create users * Update user attributes * Deactivate users #### Setup Instructions **Enable SCIM in Natoma** 1. In the Natoma Admin Console, navigate to **Admin** → **SSO**. 2. Toggle on the **SCIM Integration** option. 3. Click **Generate Token**, then immediately copy the token. {% hint style="warning" %} You will not be able to view this token again — save it securely before closing. {% endhint %} **2. Configure Provisioning in Entra** 1. Back in the Entra admin center, go to the **Provisioning** menu within your SAML app. 2. Click **Connect your application**. 3. Copy and paste the **SCIM URL** and **Token** from Natoma into Entra. 4. Click **Test Connection** to verify the credentials. **3. Save Configuration in Natoma** After a successful test in Entra, navigate back to Natoma and click **Save**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.natoma.ai/docs/enterprise/secure-access-to-natoma/entra-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.