# Microsoft Entra ID Configure Microsoft Entra ID (formerly Azure AD) as a SAML identity provider for sfp. > Use the URL that matches your deployment mode. **Self-hosted**: replace `` with your sfp server domain. **Cloud**: use `auth.flxbl.io`. See [URL convention](/flxbl/sfp-server/setting-up/saml-authentication/identity-providers.md#url-convention). *** ## 1. Create the application 1. Sign in to the [Azure Portal](https://portal.azure.com). 2. Go to **Microsoft Entra ID** → **Enterprise applications** → **New application**. 3. Choose **Create your own application**. 4. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. 5. Name it (e.g. "sfp SSO") and click **Create**. *** ## 2. Configure SAML In the new application, go to **Single sign-on** → **SAML** and click **Edit** on **Basic SAML Configuration**. | Field | Value | | ---------------------- | ------------------------------------------------- | | Identifier (Entity ID) | `https:///auth/v1/sso/saml/metadata` | | Reply URL (ACS URL) | `https:///auth/v1/sso/saml/acs` | | Sign on URL | leave blank | | Relay State | leave blank | | Logout URL | leave blank | Click **Save**. *** ## 3. Configure attributes and claims > **Entra ships only `emailaddress` by default.** `displayname`, `givenname`, and `surname` are NOT in the default claim set — you must add them explicitly below, or sfp users will end up with empty first/last names. Click **Edit** on **Attributes & Claims** and ensure these are set: | Claim name | Source attribute | | -------------------------------------------------------------------- | --------------------------------------- | | Unique User Identifier (Name ID) | `user.mail` (Format: **Email address**) | | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | `user.mail` | | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname` | `user.givenname` | | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` | `user.surname` | | `http://schemas.microsoft.com/identity/claims/displayname` | `user.displayname` | The Name ID format **must** be **Email address** — sfp matches users by email. *** ## 4. Copy the federation metadata URL In the **SAML Certificates** section, copy **App Federation Metadata URL**. It looks like: ``` https://login.microsoftonline.com//federationmetadata/2007-06/federationmetadata.xml?appid= ``` This is the only thing you need to hand to sfp. *** ## 5. Assign users 1. In the application, go to **Users and groups** → **Add user/group**. 2. Pick the users (or groups) who should have sfp access. 3. Click **Assign**. Users not assigned here will be rejected at the IdP before they ever reach sfp. *** ## Next step Continue with [Self-Hosted Setup](/flxbl/sfp-server/setting-up/saml-authentication/self-hosted-setup.md) or [Cloud Setup](/flxbl/sfp-server/setting-up/saml-authentication/cloud-setup.md) to register the IdP with sfp. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flxbl.io/flxbl/sfp-server/setting-up/saml-authentication/identity-providers/entra-id.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.