Events
Apr 9, 3 PM - Apr 10, 12 PM
Code the Future with AI and connect with Java peers and experts at JDConf 2025.
Register NowTroubleshoot SAML-based single sign-on
If you encounter a problem when configuring an application, verify you followed all the steps in the tutorial for the application. In the application’s configuration, you have inline documentation on how to configure the application. Also, you can access the List of tutorials on how to integrate SaaS apps with Microsoft Entra ID for a detail step-by-step guidance.
To add a second instance of an application, you need to be able to:
- Configure a unique identifier for the second instance. You aren't able to configure the same identifier used for the first instance.
- Configure a different certificate than the one used for the first instance.
If the application doesn’t support any of the listed options, you aren't able to configure a second instance.
If you’re not able to configure the Identifier or the Reply URL, confirm the Identifier and Reply URL values match the patterns preconfigured for the application.
To know the patterns preconfigured for the application:
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator. Go to step 4 if you're already in the application configuration pane in Microsoft Entra ID.
- Browse to Identity > Applications > Enterprise applications > All applications.
- Select the application you want to configure single sign-on.
- Once the application loads, select the Single sign-on from the application’s left-hand navigation menu.
- Select SAML-based Sign-on from the Mode dropdown.
- Go to the Identifier or Reply URL textbox, under the Domain and URLs section.
- There are three ways to know the supported patterns for the application.
- In the textbox, you see the supported pattern as a placeholder, for example:
https://contoso.com. - if the pattern isn't supported, you see a red exclamation mark when you try to enter the value in the textbox. If you hover your mouse over the red exclamation mark, you see the supported patterns.
- In the tutorial for the application, you can also get information about the supported patterns. Under the Configure Microsoft Entra single sign-on section. Go to the step for configured the values under the Domain and URLs section.
- In the textbox, you see the supported pattern as a placeholder, for example:
If the values don’t match with the patterns preconfigured in Microsoft Entra ID, you can work with the application vendor to get values that match the pattern preconfigured in Microsoft Entra ID. If the application is multi-tenant, a single identifier is allowed when the principal object isn't the primary instance of the app.
You won’t be able to select the EntityID (User Identifier) format that Microsoft Entra ID sends to the application in the response after user authentication.
Microsoft Entra ID selects the format for the NameID attribute (User Identifier) based on the value selected or the format requested by the application in the SAML AuthRequest. For more information visit the article Single sign-on SAML protocol under the section NameIDPolicy,
To download the application metadata or certificate from Microsoft Entra ID, follow these steps:
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
- Browse to Identity > Applications > Enterprise applications > All applications.
- Select the application you configure for single sign-on.
- Once the application loads, select Single sign-on from the application’s left-hand navigation menu.
- Go to SAML Signing Certificate section, then select Download column value. Depending on what the application requires configuring single sign-on, you see either the option to download the Metadata XML or the Certificate.
Microsoft Entra doesn’t provide a URL to get the metadata. The metadata can only be retrieved as an XML file.
To learn how to customize the SAML attribute claims sent to your application, see Claims mapping in Microsoft Entra ID for more information.