Set up SSO with Microsoft Entra ID
This guide connects Microsoft Entra ID (formerly Azure AD) to KloudMate. Entra supports both OIDC and SAML. OIDC is the simpler setup, but it has one easy-to-miss requirement — read the discovery-URL note below before you start.
Before you start
Section titled “Before you start”- You’re the KloudMate organization owner on a paid plan.
- You can create app registrations / enterprise apps in the Microsoft Entra admin center.
- Copy KloudMate’s values first from the Service provider details card.
OIDC (recommended)
Section titled “OIDC (recommended)”1. Register the app
Section titled “1. Register the app”-
In the Microsoft Entra admin center, go to Identity → Applications → App registrations → New registration.
-
Name it (for example
KloudMate). -
Under Redirect URI, choose Web and enter:
-
Register the app, then copy the Application (client) ID and Directory (tenant) ID from the Overview page.
2. Create a client secret
Section titled “2. Create a client secret”- Open Certificates & secrets → Client secrets → New client secret.
- Add a description and expiry, then Add.
- Copy the secret Value immediately — Entra only shows it once.
3. Copy the values into KloudMate
Section titled “3. Copy the values into KloudMate”In KloudMate, open Connections → Add connection, choose OIDC, and fill in:
- Display name —
Azure AD(orEntra ID) - Discovery URL — the tenant-specific URL from the caution above, with your tenant ID
- Client ID — the Application (client) ID
- Client secret — the secret Value you copied
- Scopes — leave as
openid email profile
Click Add connection.
Email claim note
Section titled “Email claim note”Entra often omits the email claim. KloudMate falls back to preferred_username / upn, which works for most users — to ensure reliability, make sure each user has a mailbox, or add the optional email claim to the app’s token configuration:
- Open Token configuration → Add optional claim.
- Choose ID as the token type, select email, and save.
- If prompted, grant the related Microsoft Graph permission.
1. Create the enterprise app
Section titled “1. Create the enterprise app”- Go to Identity → Applications → Enterprise applications → New application → Create your own application.
- Choose Integrate any other application you don’t find in the gallery, name it, and create it.
- Open Single sign-on → SAML, and under Basic SAML Configuration set:
- Identifier (Entity ID) — your KloudMate SP Entity ID (the
entityIDfrom the downloaded SP metadata) - Reply URL (Assertion Consumer Service URL) — your KloudMate ACS URL,
https://api.kloudmate.com/sso/saml
- Identifier (Entity ID) — your KloudMate SP Entity ID (the
2. Copy Entra’s metadata into KloudMate
Section titled “2. Copy Entra’s metadata into KloudMate”- In the SAML setup page, download the Federation Metadata XML (or copy the App Federation Metadata Url).
- In KloudMate, open Connections → Add connection, choose SAML 2.0, keep Paste metadata XML, and paste the Federation Metadata XML into IdP metadata XML.
- Set Display name and click Add connection.
Email mapping
Section titled “Email mapping”In the enterprise app, open Attributes & Claims and confirm the Unique User Identifier (Name ID) is the user’s email (for example user.mail or user.userprincipalname), in emailAddress format. If your users’ UPN isn’t their email, map an email attribute to user.mail and set the corresponding Email attribute in KloudMate’s manual SAML form.
Finish up
Section titled “Finish up”- Verify your company domain.
- Choose a provisioning mode.
- Test sign-in with a work email on a verified domain via Sign in with SSO.
For issuer or email errors, see Troubleshooting.