Microsoft Entra ID SAML integration for SaaS apps

Microsoft Entra ID, formerly Azure AD, facilitates SAML SSO configuration for SaaS applications by acting as the identity provider (IdP), with the SaaS app as the service provider (SP). Basic SAML SSO is free across Entra tiers and requires only an admin role, while additional features like Conditional Access and token encryption necessitate P1/P2 licenses. The setup involves creating an enterprise application, configuring identifiers and URLs, mapping claims, managing signing certificates, assigning users, and testing connections. Microsoft advises using OpenID Connect (OIDC) for new apps and SAML for existing ones. SP-initiated SSO is preferred for security reasons, offering protection against login-CSRF and replay attacks. Enterprises can automate user provisioning with SCIM, which complements SAML authentication by managing user lifecycles independently. Multi-tenant SAML configurations require separate connections for each customer due to Entra's single-tenant SSO constraint, leading many SaaS providers to opt for managed solutions to handle the complexity of validation, certificate rotation, and multi-tenant requirements effectively.