Configuring Microsoft Entra ID (formerly Azure Active Directory) Single Sign On (SSO)

Observe supports using Microsoft Entra ID using Security Authentication Markup Language (SAML 2.0). Use the following steps to configure SSO for Microsoft Entra ID.

Note

Use of stem names instead of Observe Customer IDs is possible, but you cannot configure Entra to support both at the same time.

Configuring Microsoft Entra ID

  1. From the Microsoft Entra ID portal, navigate to the Enterprise applications page and click New Application.

  2. Click Create your own application.

  3. Select Integrate any other application you don’t find in the gallery, and enter Observe as the Input Name.

  4. Click Set up single sign-on, and then click SAML.

  5. Click Edit on the Basic SAML Configuration tile, and add the URL:

https://${OBSERVE_CUSTOMER_ID}.observeinc.com/auth/saml2/callback

to the following fields, replacing ${OBSERVE_CUSTOMER_ID} with your Observe tenant ID:

  • Identifier (Entity ID)

  • Reply URL (Assertion Consumer Service URL)

  • Sign on URL (Optional)

Configuring Entra ID for SAML

Figure 1 - Basic SAML Configuration

Claims Configuration - Default Attributes vs Custom Attributes

Default Attributes

If your users have email addresses assigned in Entra ID, you can use the default User Attributes & Claims.

Note

To check if you have assigned email addresses, click Users in the Entra ID portal and select a name. The emails fields display under the Contact Info section, and either contain values or not.

Custom Attributes

If the email User property is not populated in Entra ID, the SAML login will fail. You need to add the email addresses to the Users Properties, or update the emailaddress claim to use user.userprincipalname (UPN) instead of the default user.mail.

Note

If the UPN login names do not match the user’s email address, add the email address to the user’s Entra ID profile. Please contact your Observe Data Engineer for further assistance.

To update the attribute value for emailaddress navigate to the Attributes & Claims area of your Observe Enterprise App:

  • Click the claim name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • Change the Source attribute field from user.mail to user.userprincipalname.

  • Click Save and then exit from the configuration.

Group Membership Attributes

Observe supports the sending of group membership claims via SAML. In the Attributes & Claims area, select Add a group claim and select Customize the name of the group claim and in the Name (required) field, type groups (note this is case sensitive).

Note

Observe has tested the All groups and Security Groups with both the Group ID and sAMAccountName settings. In all cases, Entra ID will pass the GUID of the group, not the human readable name.

Observe SAML settings

Figure 2 - Entra ID Group Claim Configuration

Additional Configuration Settings

6. You can add the Observe SSO logo on the Properties page by downloading it from here.

7. Download the Base64 version of the SAML Signing Certificate. This is located in the Single sign-on > SAML Certificates section of your Observe Enterprise App.

Observe SAML settings

Figure 3 - Entra ID Certificate Download

8. Copy the Login URL from the Single sign-on page of Entra ID. It has the format https://login.microsoftonline.com/${GUID}/saml2, where ${GUID} will be a GUID specific to your Entra ID subscription.

Observe SAML settings

Figure 3 - Entra ID Login URL

Configuring Observe

9. Navigate to https://${OBSERVE_CUSTOMER_ID}.observeinc.com/settings/customer.

Observe SAML settings

Figure 4 - Observe Settings

10.Scroll down to Add SAML, and Paste the Login URL that you copied in Step 8, into the ENTRY POINT field of Observe’s SAML configuration.

11. Open X.509 certificate from Step 7 in a text editor and paste the Base64 certificate into the CERT field.

12. Click Add SAML Provider.