> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML SSO with Microsoft Entra ID

This article describes how to set up SAML Single Sign-on for Semgrep AppSec Platform with Microsoft Entra ID.

This article describes how to set up SAML Single Sign-on for Semgrep AppSec Platform with Microsoft Entra ID.

<Note>
  **PREREQUISITES**

  * An existing Microsoft Entra ID account.
  * Sufficient permissions within Microsoft Entra ID to create enterprise apps. See [Microsoft Entra ID roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
  * Admin privileges for your Semgrep deployment.
</Note>

Setting up SAML SSO using Microsoft Entra ID consists of the following general steps:

<Steps>
  <Step>
    Create a custom **enterprise app** within Microsoft Entra ID.
  </Step>

  <Step>
    Set up SAML SSO for your new enterprise app.
  </Step>

  <Step>
    Configure Semgrep.
  </Step>

  <Step>
    Add users to your new enterprise app.
  </Step>
</Steps>

## Configure SSO

<Tabs>
  <Tab title="Guided setup (beta)">
    <Steps>
      <Step>
        Sign in to [<Icon icon="arrow-up-right-from-square" /> Semgrep AppSec Platform](https://semgrep.dev/login).
      </Step>

      <Step>
        Go to [**Settings > Access > Login methods**](https://semgrep.dev/orgs/-/settings/access/loginMethods).
      </Step>

      <Step>
        In the **Single sign-on (SSO)** section, provide a valid **Email domain**, then click **Initialize**.
      </Step>

      <Step>
        The **Configure Single Sign-On** dialog appears to guide you through the remaining configuration steps. Begin by selecting **Entra ID (Azure AD) SAML**.
      </Step>

      <Step>
        Follow the instructions provided on the subsequent **Configure Single Sign-On** dialog pages to complete this process. When you've completed the required steps, use **Test sign-in** to test the connection.
      </Step>

      <Step>
        Once test sign-in has passed, close the test page. Verify that the **Connection details** shown on the **Connection activated** screen are correct and close the dialog.
      </Step>

      <Step>
        Verify that the **Connection status** is now **active** under the **Single sign-on (SSO)** section in Semgrep AppSec Platform.
      </Step>

      <Step>
        To use the new connection, log out of Semgrep, then log back in using SSO.
      </Step>
    </Steps>
  </Tab>

  <Tab title="Legacy manual configuration">
    ## Create a custom enterprise app

    <Steps>
      <Step>
        Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).
      </Step>

      <Step>
        Use the search bar to find and navigate to **enterprise applications**.

        <Frame>
          <img src="https://mintcdn.com/semgrep-ee9d73d8/yMsI1pCt6oL_Pkb9/images/kb/semgrep-appsec-platform/saml-microsoft-entra-id/entra-1.png?fit=max&auto=format&n=yMsI1pCt6oL_Pkb9&q=85&s=3b23d8fc8a205103969e098e81ad18f3" alt="Microsoft Entra admin center's Enterprise applications screen" width="2438" height="1468" data-path="images/kb/semgrep-appsec-platform/saml-microsoft-entra-id/entra-1.png" />
        </Frame>
      </Step>

      <Step>
        Click **New application** > **Create your own application**. A menu appears.

        <Frame>
          <img src="https://mintcdn.com/semgrep-ee9d73d8/yMsI1pCt6oL_Pkb9/images/kb/semgrep-appsec-platform/saml-microsoft-entra-id/entra-2.png?fit=max&auto=format&n=yMsI1pCt6oL_Pkb9&q=85&s=68d0f73e0192fcb46f65c700973b7092" alt="Create your own application screen" width="2440" height="1498" data-path="images/kb/semgrep-appsec-platform/saml-microsoft-entra-id/entra-2.png" />
        </Frame>
      </Step>

      <Step>
        Name your new application something like `Semgrep SAML`.
      </Step>

      <Step>
        Select **Integrate any other application you don't find in the gallery (non-gallery)**.
      </Step>

      <Step>
        Click **Create**. This takes you to your new enterprise application's page.
      </Step>
    </Steps>

    You have now created a custom enterprise app for Semgrep to integrate with Microsoft Entra ID. This enables you to set up SAML SSO.

    ## Set up SAML SSO for your new enterprise app

    <Steps>
      <Step>
        From your new enterprise app's page, go to **Single-sign on** > **SAML**.

        <Frame>
          <img src="https://mintcdn.com/semgrep-ee9d73d8/yMsI1pCt6oL_Pkb9/images/kb/semgrep-appsec-platform/saml-microsoft-entra-id/entra-3.png?fit=max&auto=format&n=yMsI1pCt6oL_Pkb9&q=85&s=33333b6d70583a27a243a26edd8ac1b9" alt="Enterprise application's Single-sign on menu option" width="2442" height="1492" data-path="images/kb/semgrep-appsec-platform/saml-microsoft-entra-id/entra-3.png" />
        </Frame>
      </Step>

      <Step>
        When prompted to **Select a single sign-on method**, select **SAML**. You are redirected to the **SAML-based Sign-on** page.

        <Frame>
          <img src="https://mintcdn.com/semgrep-ee9d73d8/yMsI1pCt6oL_Pkb9/images/kb/semgrep-appsec-platform/saml-microsoft-entra-id/entra-3.png?fit=max&auto=format&n=yMsI1pCt6oL_Pkb9&q=85&s=33333b6d70583a27a243a26edd8ac1b9" alt="SAML-based Sign-on screen" width="2442" height="1492" data-path="images/kb/semgrep-appsec-platform/saml-microsoft-entra-id/entra-3.png" />
        </Frame>
      </Step>

      <Step>
        In the **Basic SAML Configuration** section, click **Edit**. Provide the **Entity ID** and **Reply URL**. You can retrieve these values from Semgrep AppSec Platform by performing the following steps:<br />
          i. Sign in to Semgrep AppSec Platform.<br />
          ii. Navigate to **[Settings > Access > Login methods](https://semgrep.dev/orgs/-/settings/access/loginMethods)**.
          iii. Click **Add SSO configuration** and select **SAML2 SSO**.<br />
          iv. Copy the **Audience URL (SP Entity ID)** value from Semgrep AppSec Platform. Return to **Basic SAML Configuration**. Click **Add identifier** to paste this value as the **Identifier (Entity ID)**.<br />
          v. Copy the **SSO URL** value from Semgrep AppSec Platform. Return to **Basic SAML Configuration**. Click **Add reply URL** to paste this value as the **Reply URL (Assertion Consumer Service URL)**.
      </Step>

      <Step>
        Click **Save** and close out of **Basic SAML Configuration**.
      </Step>

      <Step>
        In the **Attributes and Claims** section, click **Edit**. You must add two claims. To add your first claim:<br />
          i. Click **Add new claim**.<br />
          ii. Enter `name` in the **Name** field.<br />
          iii. For the **Source attribute** drop-down box, select `user.displayname`.<br />
          iv. Click **Save**.
      </Step>

      <Step>
        To add your second claim:<br />
          i. Click **Add new claim**<br />
          ii. Enter `email` in the **Name** field.<br />
          iii. From the **Source attribute** drop-down box, select `user.mail`.<br />
          iv. Click **Save**.
      </Step>

      <Step>
        Close out of **Attributes & Claims**.
      </Step>
    </Steps>

    ## Configure Semgrep

    <Steps>
      <Step>
        Navigate to Semgrep AppSec Platform, and provide the values required by the SAML2 form:<br />
          i. Provide the **Display name** and the **Email domain** you are using for the integration.<br />
          ii. Copy the **Login URL** value from Microsoft Entra ID and paste it in into Semgrep AppSec Platform's **IDP SSO URL** field.<br />
          iii. Copy and paste the **Microsoft Entra ID Identifier** value into Semgrep AppSec Platform's **IdP Issuer ID** field.<br />
          iv. In Entra ID's **SAML-based Sign-on** page, click **Download** to obtain the **Certificate (Base64)**.<br />
          v. In Semgrep AppSec Platform, under **Upload/Paste certificate**, click **Browse** and then select the certificate you downloaded.

        <Frame>
          <img src="https://mintcdn.com/semgrep-ee9d73d8/yMsI1pCt6oL_Pkb9/images/kb/semgrep-appsec-platform/saml-microsoft-entra-id/entra-4.png?fit=max&auto=format&n=yMsI1pCt6oL_Pkb9&q=85&s=6cedc0c986007bc336328eac9f2a6a8f" alt="Semgrep AppSec Platform's SAML2 configuration screen" width="1700" height="1810" data-path="images/kb/semgrep-appsec-platform/saml-microsoft-entra-id/entra-4.png" />
        </Frame>
      </Step>

      <Step>
        Select the box next to **This SSO supports non-password authentication mechanisms (e.g. MFA, X509, PasswordLessPhoneSignin)** if applicable.
      </Step>

      <Step>
        Click **Save** to proceed.
      </Step>
    </Steps>
  </Tab>
</Tabs>

## Add users to your new enterprise app

To add users to the application in so they can log in with their domain emails, refer to [Assign users and groups to an application](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal).
