Skip to main content
Version: Next

Azure AD (Entra ID) SSO Setup

This guide walks through configuring SAML 2.0 single sign-on between Microsoft Entra ID (formerly Azure Active Directory) and SyVault. You will need Azure AD admin access and SyVault Owner or Admin privileges.

Prerequisites

  • SyVault organization on a Business or Enterprise plan
  • Azure AD tenant with permission to create Enterprise Applications
  • Your SyVault organization slug (found in Admin Console > Settings)

Step 1: Create an Enterprise Application

  1. Sign in to the Azure Portal at portal.azure.com.
  2. Navigate to Microsoft Entra ID > Enterprise Applications.
  3. Click New Application > Create your own application.
  4. Enter SyVault as the application name.
  5. Select Integrate any other application you don't find in the gallery (Non-gallery).
  6. Click Create.

Step 2: Configure SAML SSO

  1. In the SyVault Enterprise Application, navigate to Single sign-on in the left sidebar.
  2. Select SAML as the single sign-on method.
  3. In the Basic SAML Configuration section, click Edit and enter:
FieldValue
Identifier (Entity ID)syvault:<your-org-slug> (e.g., syvault:acme-corp)
Reply URL (ACS URL)https://api.syvault.com/api/auth/saml/acs
Sign on URLhttps://vault.syvault.com/login?sso=<your-org-slug>
Relay StateLeave blank
Logout URLLeave blank
  1. Click Save.

Step 3: Configure Attribute Mapping

In the Attributes & Claims section, click Edit and configure the following:

Claim NameSource Attribute
Unique User Identifier (Name ID)user.userprincipalname (format: Email address)
emailuser.mail
firstNameuser.givenname
lastNameuser.surname
tip

If your users' userprincipalname does not match their email address (common in hybrid environments), use user.mail as the Name ID source instead. The Name ID must be the email address that matches the user's SyVault account.

Ensure the Name ID format is set to emailAddress (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).

Step 4: Download Federation Metadata

  1. In the SAML Signing Certificate section, find App Federation Metadata Url.
  2. Copy this URL -- you will paste it into SyVault.

Alternatively, click Download next to Federation Metadata XML to save the file locally.

Step 5: Configure SyVault

  1. Open the SyVault Admin Console > SSO & SCIM > SAML SSO.
  2. Paste the App Federation Metadata URL or upload the downloaded XML file.
  3. SyVault will automatically extract:
    • IdP SSO URL (typically https://login.microsoftonline.com/<tenant-id>/saml2)
    • IdP Issuer
    • X.509 signing certificate
  4. Verify the extracted values and click Save Configuration.

Step 6: Assign Users and Groups

  1. In the SyVault Enterprise Application, navigate to Users and groups.
  2. Click Add user/group.
  3. Select the users or groups who should have SSO access.
  4. Click Assign.
warning

Users must be both assigned in Azure AD and members of your SyVault organization. To automate member provisioning, configure SCIM alongside SAML SSO.

Step 7: Test SSO Login

  1. In the Azure Portal, click Test in the Single sign-on configuration page. Azure will attempt an SSO flow and report success or failure.
  2. In SyVault, click Test Connection in the Admin Console SSO settings.
  3. For a full end-to-end test, open an incognito window, navigate to the SyVault login page, click Login with SSO, enter your organization slug, and authenticate through Azure AD.

Troubleshooting

SymptomLikely CauseFix
AADSTS700016: Application not foundEnterprise App not configured or wrong tenantVerify the app exists in the correct Azure AD tenant
"Invalid audience"Entity ID mismatchEnsure the Identifier matches syvault:<org-slug> exactly
"Signature validation failed"Certificate rolloverRe-download federation metadata and re-upload to SyVault
"User not found"User not a SyVault memberInvite the user or enable SCIM provisioning
Claims missingAttribute mapping incorrectVerify Name ID format is emailAddress and source is user.mail
info

Azure AD automatically rotates signing certificates. When a rotation occurs, SyVault will begin failing signature validation. Re-download the federation metadata and update SyVault to pick up the new certificate. Consider configuring the metadata URL instead of a static XML file so SyVault can auto-refresh certificates.