Microsoft Entra ID (Azure AD)
Configure Microsoft Entra ID (formerly Azure AD) as a SAML identity provider for single sign-on to FOSSA.
Overview
Microsoft Entra ID (formerly Azure AD) acts as a SAML 2.0 identity provider for FOSSA. To connect them, you register FOSSA as an enterprise application in Entra, exchange a few values between Entra and FOSSA's authentication settings, then hand FOSSA your Entra sign-on URL and signing certificate.
Note
SAML single sign-on must be enabled for your organization before the settings below appear. SSO is a premium feature, contact your FOSSA account team to enable it.
Before you start, open FOSSA's authentication settings in another tab: go to Settings → Organization → Authentication. The Callback URL and Audience URI / SP Entity ID values shown there are needed while configuring Entra.
Configuring SSO with Microsoft Entra ID
- 1
Set the authentication method in FOSSA
On the Settings → Organization → Authentication page, set the access method to SSO + Email Address and the SSO method to SAML. Keep this page open; you'll copy its Callback URL and Audience URI / SP Entity ID into Entra next.
- 2
Create the FOSSA enterprise application in Entra
In the Azure portal, go to Microsoft Entra ID → Enterprise applications → New application → Create your own application. Name it FOSSA and register it as a non-gallery app. Open the application's Single sign-on page and choose SAML.
- 3
Enter FOSSA's SAML values in Entra
Edit the Basic SAML Configuration section and set:
Entra field Value from FOSSA Identifier (Entity ID) Audience URI / SP Entity ID Reply URL (Assertion Consumer Service URL) Callback URL Warning
Copy the Audience URI / SP Entity ID exactly as FOSSA generates it for your organization. Don't put a
login.microsoftonline.comURL in the Identifier field; that URL is Entra's sign-on URL, which you'll add to FOSSA in a later step. - 4
Download the certificate and copy the login URL from Entra
In the SAML Certificates section, download the Certificate (Base64). Then, in the Set up FOSSA section, copy the Login URL.
- 5
Finish setup in FOSSA
Back on FOSSA's Settings → Organization → Authentication page:
- In Identity Provider Single Sign On URL, paste the Login URL you copied from Entra.
- In Certificate, paste the contents of the Base64 certificate you downloaded.
- Set both access-control options to Mixed control. This keeps local admin access available if you ever need to sign in without SSO.
- Click Save Changes.
- 6
Register your email domain
On the Authentication page, register your organization's email domain. FOSSA sends a verification email to the domain's designated address; click Approve in that email to link the domain to your organization.
Result
Microsoft Entra ID is now configured to authenticate users to FOSSA. Users sign in one of two ways:
- Enter their email address on the FOSSA login page and get redirected to Entra, or
- Launch FOSSA from the Entra My Apps portal.
Note
FOSSA can also set each user's organization role and synchronize their team membership from SAML attributes. See the SAML attributes guide for the supported role and teams claims.
Mapping Entra ID groups to FOSSA teams
This step is optional. Configure it to have Entra send each user's group memberships so FOSSA can assign them to teams automatically at login.
- 1
Open the FOSSA application's claims editor
In the Azure portal, go to Microsoft Entra ID → Enterprise applications, select your FOSSA application, open Single sign-on, and click Edit under Attributes & Claims.
- 2
Add the group claim
Add or edit the group claim
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups. Under Which groups associated with the user should be returned in the claim?, select Groups assigned to the application. - 3
Name the claim `teams`
Check Customize the name of the group claim and set the name to:
teamsFOSSA reads the
teamsclaim and assigns each user to the matching teams in your organization.