Integrations · SAML 2.0
Azure AD via SAML
Configure Clavex as an enterprise application in Azure AD (Entra ID) using SAML 2.0. Users in Azure AD can authenticate to Clavex-protected resources using their Entra ID credentials. Covers SP-initiated SSO and attribute/group claim mapping.
Direction: In this guide, Azure AD is the Identity Provider
and Clavex is the Service Provider. This is the reverse of the
Microsoft 365 guide where Clavex is the IdP.
Use this guide when you want Azure AD users to log in to Clavex via SAML federation.
Prerequisites
- Azure AD / Entra ID tenant
- Application Administrator or Global Administrator role in Entra ID
- Clavex at
https://id.acme.eu, org slugacme
Step 1 — Create Enterprise Application in Entra ID
- Open portal.azure.com → Azure Active Directory → Enterprise applications
- Click New application → Create your own application
- Name it
Clavex SSO, select Integrate any other application you don't find in the gallery - Click Create
Step 2 — Configure SAML SSO
- In your new app → Single sign-on → select SAML
- Click the pencil icon on Basic SAML Configuration:
Field Value Identifier (Entity ID) https://id.acme.eu/acme/saml/azureReply URL (ACS URL) https://id.acme.eu/acme/saml/acsSign-on URL (optional) https://id.acme.eu/acme/loginRelay state leave empty Logout URL https://id.acme.eu/acme/saml/slo - Save
- Download the Federation Metadata XML from the SAML Signing Certificate section
Step 3 — Configure Azure AD as Upstream SAML IdP in Clavex
In Clavex Admin Console, navigate to your organization → Identity Providers → SAML (Upstream) → Add Provider:
$ curl -X POST https://id.acme.eu/api/v1/organizations/acme/identity-providers/saml \
-H 'Authorization: Bearer $ADMIN_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"name": "Azure AD",
"entity_id": "https://sts.windows.net/{tenant-id}/",
"sso_url": "https://login.microsoftonline.com/{tenant-id}/saml2",
"certificate": "MIIC... (from Federation Metadata XML)",
"name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"attribute_mapping": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"name": "http://schemas.microsoft.com/identity/claims/displayname",
"groups": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
}
}'
Find your tenant ID: In Entra ID → Overview → Tenant ID (GUID format).
The Entity ID is
https://sts.windows.net/{tenant-id}/.
Step 4 — Configure Group Claims in Entra ID
To send group memberships to Clavex, configure group claims on the Enterprise Application:
- App → Single sign-on → Attributes & Claims → Add a group claim
- Select Security groups (or All groups for smaller tenants)
- Set Source attribute to
Group ID(GUID) orsAMAccountNamefor hybrid environments - Optionally enable Emit groups as role claims
Step 5 — Assign Users to the App
- App → Users and groups → Add user/group
- Select the users or groups that should be allowed to authenticate via this SAML app
Step 6 — Test
# SP-initiated: Clavex redirects to Azure AD
https://id.acme.eu/acme/login?idp=azure-ad
# IdP-initiated: from the Azure AD My Apps portal https://myapps.microsoft.com → click "Clavex SSO"
# IdP-initiated: from the Azure AD My Apps portal https://myapps.microsoft.com → click "Clavex SSO"
Attribute Mapping Reference
| Clavex claim | Azure AD claim URI |
|---|---|
email | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
given_name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
family_name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
name | http://schemas.microsoft.com/identity/claims/displayname |
sub | http://schemas.microsoft.com/identity/claims/objectidentifier |
groups | http://schemas.microsoft.com/ws/2008/06/identity/claims/groups |
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
AADSTS50105: User not assigned to role |
User not added to the Enterprise Application | App → Users and groups → add the user or group |
| Assertion signature invalid | Certificate mismatch | Download fresh Federation Metadata XML from Entra ID and update Clavex provider |
| No groups in Clavex token | Group claims not configured in Entra ID | Add group claim in App → Attributes & Claims → Add a group claim |
| Too many groups error (Azure token too large) | User in > 150 groups | Use Groups assigned to the application to filter; or switch to MS Graph for group fetch |