This topic tells you how to set up Microsoft Entra ID as your identity provider by configuring SAML integration in both Single Sign‑On for VMware Tanzu Application Service and Microsoft Entra ID.

Overview

To set up Microsoft Entra ID as your identity provider through SAML integration:

  1. Set up SAML in Single Sign‑On
  2. Set up SAML in Microsoft Entra ID
  3. Set up Claims Mapping

Set up SAML in Single Sign‑On

To set up SAML in Single Sign‑On, follow the steps in Configure SAML Settings.

Set up SAML in Microsoft Entra ID

To set up SAML in Microsoft Entra ID:

  1. Log in to Microsoft Entra ID as a Global Admin in the Microsoft Azure portal.

  2. Go to the Microsoft Entra ID tab > Enterprise application.

    A red box frames the link Enterprise application.

  3. Click New application.

    The All applications section in Microsoft Entra ID.

  4. Click Create your own application.

    The Browse Gallery" section in Microsoft Entra ID.

  5. Enter a name and then click Integrate any other application you don’t find in the gallery (Non-gallery).

    The Create your own application section in Microsoft Entra ID.

  6. In the All applications tab of Enterprise applications, click your newly created application.

  7. In the application overview, click Set up single sign on > SAML.

    The Application Overview section in Microsoft Entra ID. A red box frames the Set up single sign on button.

  8. Click Upload metadata file to upload the metadata file you downloaded earlier in Set up SAML in Single Sign‑On. Save the configuration when prompted.

    The SAML-based Sign-On section in Microsoft Entra ID. A red box frames the Upload metadata file button.

  9. Record the App Federation Metadata Url. You need this for setting up the SSO identity provider configurations. For more information, see Setting up SAML.

    The SAML-based Sign-On section in Microsoft Entra ID. A red box frames the App Federation Metadata URL button.

  10. Go to the Users and groups tab and then click Add User. Select users or group names from the search box. For example, you can add a group that includes all users who can log in to the Single Sign‑On plan.

Set up claims mapping

To set up claims mapping:

  1. Go to Azure Active Directory (Microsoft Entra ID) > Enterprise Applications.

  2. Click your app and then click Single sign-on.

Enable user attribute mappings

To enable user attribute mappings:

  1. In the Attributes and Claims section, click Edit.

    The SAML-based Sign-On section in Microsoft Entra ID. The Attributes and Claims section is shown.

  2. Edit the attributes.

  3. Pass group membership claims to the app by clicking Add a group claim:

    The Group Claims modal in Microsoft Entra ID. Red boxes frame Add group claim and the All groups and Security Groups options.

    1. Select one of the following:

      • SecurityGroup, which is a group claim containing identifiers of all security groups of which the user is a member.
      • All, which is a group claim containing the identifiers of all security groups and distribution lists of which the user is a member.

    2. Save the change.

For more information, see the Microsoft documentation.

check-circle-line exclamation-circle-line close-line
Scroll to top icon