Documentation Index

Fetch the complete documentation index at: https://docs.document360.com/llms.txt

Use this file to discover all available pages before exploring further.

SAML SSO with Entra

  • Updated on Jun 19, 2026
  • Published on Jun 18, 2026
  • 7 minute(s) read
Prev Next

Microsoft Entra ID is Microsoft's cloud-based identity and access management service, formerly known as Azure Active Directory. With SAML SSO configured between Microsoft Entra and Document360, your users and readers can sign in to Document360 using their existing Microsoft credentials, without needing a separate password.

NOTE

Only users with the Owner or Admin project role can configure SSO in Document360.

What you can do with Microsoft Entra as your IdP

Capability Supported
User (portal) authentication Yes
Reader (knowledge base site) authentication Yes
IdP-initiated sign-in Yes
SCIM user provisioning Yes
SCIM reader provisioning Yes
SCIM group sync Yes
SSO configuration inheritance (parent-child projects) Yes

Before you begin

  • You have an active Microsoft Azure account with administrator access. Sign in at entra.microsoft.com.
  • You have Owner or Admin access in your Document360 project.
  • Open Document360 and Microsoft Entra in two separate browser tabs. You will need to switch between them multiple times during setup.

Step 1: Create a SAML application in Microsoft Entra

Sign in to Microsoft Entra

  1. Log in to your Microsoft Azure account at entra.microsoft.com.
  2. You will be navigated to the Microsoft Entra admin center page.

Create the application

  1. In the Microsoft Entra admin center, select Entra ID from the left navigation bar and click Enterprise apps.
  2. On the Enterprise applications page, click New application > Create your own application.
  3. Enter a name for your application in the Input name field and click Create.
Creating a new application in Microsoft Entra admin center

NOTE

When creating the application, ensure you select Create your own application and choose the Integrate any other application you don't find in the gallery radio button. Do not select a Gallery app or search for Document360 in the Entra Gallery. Gallery applications do not support custom SCIM provisioning. If a Gallery app has already been configured, you will need to create a new Non-Gallery application and reconfigure your SSO setup.

Step 2: Configure SAML in Entra using Document360 parameters

Get the Service Provider parameters from Document360

  1. Open Document360 in a separate tab.
  2. Navigate to Settings > Users & permissions > SSO Configuration.
  3. Click Create SSO.
User management interface showing SSO configuration options and settings for Azure AD.
  1. Select Entra ID as your Identity Provider (IdP) to navigate to the Configure the Service Provider (SP) page automatically.
Select an Identity Provider for Single Sign-On configuration options and settings.
  1. The Configure the Service Provider (SP) page displays the required parameters to configure your SAML integration in the Identity Provider.
Configuration settings for Entra ID with highlighted callback paths and service provider entity ID.

Configure SAML in Entra

  1. Go to Microsoft Entra, and in the created application page open the Single sign-on tab and select SAML method.
Select a single sign-on method, highlighting SAML for secure authentication options.
  1. Click Edit on the Basic SAML Configuration section and enter the parameters from Document360 as shown below.
Entra Document360
Reply URL (Assertion Consumer Service URL) Callback path
Sign on URL Callback path
Identifier (Entity ID) Service provider entity ID
Basic SAML configuration settings for Document360 SCIM SSO in Microsoft Entra admin center.
  1. Click Save.

Step 3: Complete the SSO configuration in Document360

Configure the Identity Provider in Document360

  1. Return to Document360 and click Next to navigate to the Configure the Identity Provider (IdP) page.
  2. If you already have an existing SSO configuration, you can select it from the Configure an existing connection dropdown to inherit its settings. This eliminates redundant setup and saves time.

NOTE

For more information on inheritance, see Managing users and readers with SCIM in Entra.

Configuration settings for creating a new SSO with highlighted fields and options.
  1. Fill in the required fields using the parameters found in the Set up Document360 SCIM SSO section of the Entra page, as shown below.
Entra Document360
Login URL Sign on URL
Microsoft Entra Identifier Entity ID
SAML certificate Certificate (Base64)
  1. Download the Certificate (Base64) in the SAML Certificates section and attach it to the SAML certificate field in Document360.
Document360 SCIM SSO settings with highlighted certificate download options and URLs.
  1. Toggle the Allow IdP initiated sign in option on or off based on your project requirements. Learn more about IdP-initiated sign-in.
  2. Click Next to proceed to the SCIM provisioning page.

Step 4: Configure SCIM provisioning

SCIM provisioning automates user and reader lifecycle management between Microsoft Entra and Document360. When enabled, users added, updated, or deactivated in Entra are automatically synced to Document360.

If you do not need SCIM provisioning, click Next and follow the steps from Step 5: More settings.

Enable SCIM in Document360

  1. In the SCIM provisioning page in Document360, turn on the Enable SCIM provisioning toggle.
  2. A confirmation dialog will appear. Read the terms and click Agree. A set of parameters will then be displayed.
Configuration settings for SCIM provisioning and identity provider setup in a user interface.

CAUTION

The primary and secondary secret tokens are generated once and displayed only at the time of creation. Ensure you copy and store them in a secure location before saving the configuration. Once the SSO configuration is saved, the tokens will appear masked and cannot be retrieved. Regenerating a token invalidates the existing one and requires you to update the new token in your Entra configuration to avoid disrupting user sync.

Configure SCIM provisioning in Entra

  1. Go to Entra, and select the Provisioning tab in the left menu and then select New configuration at the top menu.
Overview page of Document360 SCIM SSO with configuration options and application provisioning details.
  1. The New provisioning configuration page will be displayed. Fill in the fields in the Admin credentials section using the parameters from Document360 as shown below.
Entra Document360
Tenant URL SCIM Base URL
Secret token Primary secret token

NOTE

Do not click Test connection or Create at this stage. The SSO configuration in Document360 must be completed first before the SCIM provisioning connection can be established successfully.

Configuration settings for Document360 SCIM SSO with highlighted tenant URL and secret token.

Set default roles and groups in Document360

  1. Navigate back to Document360 and turn on the Enable group sync toggle. When enabled, users and reader groups are automatically assigned based on IdP group mappings.
  2. In the Default role field, the role is set to Contributor by default. You can change this from the dropdown if needed.

NOTE

The Default role applies to Users only. It does not affect users provisioned as Readers via the isTeamAccount = False attribute mapping. For information on attribute mapping, see Managing users and readers with SCIM in Entra.

  1. In the User groups and Reader groups fields, select the groups you want to add. Multiple groups can be added, and they will inherit the default role you selected earlier.
  2. Click Next to navigate to the More settings page.

NOTE

For full details on managing users, readers, and groups through SCIM, including attribute mapping, provisioning workflows, and deprovisioning, see Managing users and readers with SCIM in Entra.

Step 5: More settings

Configure SSO name and login options

  1. In the SSO name field, enter a name for the SSO configuration.
  2. In Customize login button, enter the text for the login button displayed to users.
  3. Auto assign reader group - this option is only available for existing SSO configurations. For newly created SSO configurations, this toggle will not be displayed as SCIM automatically provisions users and groups. Learn more about Auto assign reader group.
  4. Enable Sign out idle SSO user if needed, and set the idle duration.
  5. Choose whether to invite existing user and reader accounts to SSO.
Settings for creating a new SSO, including name and login button customization options.
  1. Click Create to complete the SSO configuration.

The SSO configuration in Document360 is created successfully.

Step 6: Complete SCIM provisioning in Entra

Test and save the SCIM connection

  1. Navigate back to Entra, where the New provisioning configuration page is displayed.
  2. Once all the required fields have been filled in, click Test connection to verify the configuration.
Configuration settings for Document360 SCIM SSO with tenant URL and secret token fields.
  1. A confirmation message will appear once the SCIM provisioning connection between Entra and Document360 is successful.
  2. Click Create to finalise the configuration.

The SCIM provisioning between Entra and Document360 has been successfully created.

NOTE

For more details on how to manage users, readers, and groups in Entra, see Managing users and readers with SCIM in Entra.

Best practices

  • Create a Non-Gallery application. Always use the Integrate any other application you don't find in the gallery option when creating your Entra application. Gallery apps do not support custom SCIM provisioning.
  • Store both secret tokens securely. Treat the primary and secondary SCIM tokens like passwords. Store them in a secrets manager or password vault, not in plain text files or code repositories.
  • Do not test the SCIM connection before saving the Document360 configuration. The test will fail at that stage. Always complete and save the Document360 SSO configuration first, then return to Entra to test.
  • Set attribute mapping at the user level, not the group level. When configuring the isTeamAccount attribute, always set it at the user level to avoid provisioning conflicts for users who belong to multiple groups.
  • Align the idle timeout with your security policy. Enable Sign out idle SSO user and set the duration to match your organization's session management requirements.

FAQ

Why do I need to use a Non-Gallery application instead of searching for Document360 in the Entra Gallery?

Gallery applications in Entra do not support custom SCIM provisioning. To enable SCIM between Entra and Document360, you must create a Non-Gallery application by selecting Create your own application and choosing Integrate any other application you don't find in the gallery. If a Gallery app has already been configured, you will need to create a new Non-Gallery application and reconfigure your SSO setup.

What happens to existing Document360 users when I configure SSO?

Existing users are not automatically converted. During the More settings step, you can choose to invite existing user and reader accounts to SSO. Users who are converted retain all their existing roles and permissions.

Related articles