---
title: "SAML SSO with Entra"
slug: "saml-sso-with-entra"
description: "You can configure Document360's SAML Single Sign-On (SSO) with the Azure Active directory (Azure AD) as the Identity provider."
tags: ["SAML"]
updated: 2026-04-25T09:30:16Z
published: 2026-04-25T09:30:16Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.document360.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML SSO with Entra

You can configure Document360's **SAML Single Sign-On** (SSO) with the **Microsoft Entra**as the Identity provider. Please note that only users with **Owner** or **Admin**as **Project role** can configure SSO in Document360.

> [!TIP]
> ** PRO TIP
> 
> It is recommended to open **Document360**and **Entra**in two separate tabs/browser windows, since configuring SSO in Document360 will require you to switch between Okta and Document360 multiple times.

## Adding an application in the Azure portal

### Sign in for Entra

1. Log in to your **Microsoft Azure**account using your credentials (Link: [https://entra.microsoft.com/#home).](https://entra.microsoft.com/#home).)
2. Once logged in, you will be navigated to the**Microsoft Entra admin center** page.

### Adding your application

To create an application in Entra to configure with Document360,

1. In the **Microsoft Entra admin center** page, select**Entra ID**from the left navigation bar and click**Enterprise apps**.
2. On the **Enterprise applications** page, click **New application** > **Create your own application**.
3. Enter a name of your app in the**Input name** field and click **Create**.

![](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/creating application.gif)

Application in Entra is successfully created.

> [!NOTE]
> ******NOTE
> 
> When creating the application, ensure you select **Create your own application**and choose the **Integrate any other application you don't find in the gallery** radio button. Do not select a Gallery app or search for Document360 in the Entra Gallery. Gallery applications do not support custom SCIM provisioning. If a Gallery app has already been configured, you will need to create a new Non-Gallery application and reconfigure your SSO setup.

### Configure SAML in Entra with Document360

1. Open Document360 in a separate tab or panel.
2. Navigate to **Settings**>**Users & permissions** >**SSO Configuration** in Document360.
3. Click the **Create SSO** button.

![User management interface showing SSO configuration options and settings for Azure AD.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/create sso(3).png)

1. Select **Entra ID**as your Identity Provider (IdP) to navigate to the **Configure the Service Provider (SP)** page automatically.

![Select an Identity Provider for Single Sign-On configuration options and settings.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/okta eu(1).png)

1. In the **Configure the Service Provider (SP)** page, you'll find the required parameters to configure your SAML integration in the Identity Provider. ![Configuration settings for Entra ID with highlighted callback paths and service provider entity ID.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/sp(5).png)
2. Go to Microsoft Entra, and in the created application page open **Single sign-on**tab and select**SAML** method.

![Select a single sign-on method, highlighting SAML for secure authentication options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/saml method.png)

1. Then, click **Edit**on the **Basic SAML Configuration**section and enter the parameters from Document360 as shown below.

| Entra | Document360 |
| --- | --- |
| Reply URL (Assertion Consumer Service URL) | Callback path |
| Sign on URL | Callback path |
| Identifier (Entity ID) | Service provider entity id |

![Basic SAML configuration settings for Document360 SCIM SSO in Microsoft Entra admin center.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/saml config.png)

1. Click **Save**once you’ve entered the necessary fields.

---

### Document360 SSO configuration

Finally, complete the SSO configuration in Document360:

1. Return to Document360 and click **Next** to navigate to the **Configure the Identity Provider (IdP)** page.
2. If you already have an existing SSO configuration, you can select it from the **Configure an existing connection**dropdown to inherit its settings. This eliminates redundant setup and saves time.

> [!NOTE]
> ******NOTE
> 
> For more information on Inheritance, go to [Managing Users and Readers with SCIM in Entra](/help/docs/scim-with-entra#inherit-from-another-application).

![Configuration settings for creating a new SSO with highlighted fields and options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/idp(6).png)

1. Fill in the required fields using the parameters found in the **Set up Document360 SCIM SSO** section of the Entra page, as shown below.

| Entra | Document360 |
| --- | --- |
| Login URL | Sign on URL |
| Microsoft Entra Identifier | Entity id |
| SAML certificate | Certificate (Base64) |

1. Download the **Certificate (Base64)** in the **SAML Certificates section** and attach it to the **SAML certificate field** in Document360.

![Document360 SCIM SSO settings with highlighted certificate download options and URLs.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/certificate.png)

1. Toggle on/off the **Allow IdP initiated sign in** option based on your project requirements.
2. Click **Next** to proceed to the **SCIM provisioning** page.

### SCIM Provisioning

If needed, you can enable SCIM in Entra with Document360 by following the steps below.

1. In the**SCIM provisioning**page in Document360, turn on the **Enable SCIM provisioning**toggle.
2. A confirmation dialog will appear, read the terms and click **Agree**. A set of parameters will then be displayed.

![Configuration settings for SCIM provisioning and identity provider setup in a user interface.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/enable group sync(3).png)

1. Go to Entra, and select **Provisioning**tab in the left menu and then select**New configuration**at the top menu.

![Overview page of Document360 SCIM SSO with configuration options and application provisioning details.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/new config.png)

1. The**New provisioning configuration** page will be displayed where you need to fill in the fields in the**Admin credentials** section.
2. Navigate back to **SCIM provisioning page** in Document360 and enter these parameters to Entra as shown below.

| Entra | Document360 |
| --- | --- |
| Tenant URL | SCIM Base URL |
| Secret token | Primary secret token |

> [!NOTE]
> ******NOTE
> 
> Do not click Test connection or Create at this stage. The SSO configuration in Document360 must be completed first before the SCIM provisioning connection can be established successfully.

![Configuration settings for Document360 SCIM SSO with highlighted tenant URL and secret token.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/tenant url.png)

1. Navigate back to Document360 and turn on the **Enable group sync** toggle. When enabled, users and reader groups are automatically assigned based on IdP group mappings.
2. In the**Default role** field, the role is set to **Contributor**by default. You can change this from the dropdown if needed.

> [!NOTE]
> ******NOTE
> 
> The Default role applies to **Users**only. It does not affect users provisioned as Readers via the `isTeamAccount = False` attribute mapping. For information on attribute mapping, read [Managing Users and Readers with SCIM in Entra.](/help/docs/scim-with-entra#assign-attribute-mapping)

1. In the**User groups** and **Reader groups**fields, select the groups you want to add. Multiple groups can be added, and they will inherit the default role you selected earlier.
2. Click **Next**to navigate to **More settings** page.

### More Settings

In the **More settings** page, configure the following:

- **SSO name**: Enter a name for the SSO configuration.
- **Customize login button**: Enter the text for the login button displayed to users.
- **Auto assign reader group:**This option is only available for existing SSO configurations. For newly created SSO configurations, the Auto assign reader group toggle will not be displayed as SCIM automatically provisions users and groups.
- **Sign out idle SSO user**: Toggle on/off based on your requirements.
- Choose whether to invite existing user and reader accounts to SSO.

![Settings for creating a new SSO, including name and login button customization options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/more settings(9).png)

Click **Create** to complete the SSO configuration.

SSO configuration in Document360 is created successfully.

### Complete SCIM provisioning:

1. Navigate back to Entra, where the **New provisioning configuration** page is displayed.
2. Once all the required fields have been filled in, click**Test connection** to verify the configuration.

![Configuration settings for Document360 SCIM SSO with tenant URL and secret token fields.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/test connection(1).png)

1. A confirmation message will appear once the SCIM provisioning connection between Entra and Document360 is successful.
2. Click **Create**to finalize the configuration.

The SCIM provisioning between Entra and Document360 has been successfully created.

> [!NOTE]
> ******NOTE
> 
> For more details on how to manage users, readers and groups in Entra. Go to [Managing Users and Readers with SCIM in Entra.](/help/docs/scim-with-entra)

Security Assertion Markup Language (SAML) is a widely used Single Sign-On (SSO) standard that enables secure authentication and authorization by allowing users to log in to multiple applications with a single set of credentials.