Skip to main content

SAML SSO with Microsoft Entra ID

This article describes how to set up SAML Single Sign-on for Semgrep AppSec Platform with Microsoft Entra ID.

Prerequisites
  • An existing Microsoft Entra ID account.
  • Sufficient permissions within Microsoft Entra ID to create enterprise apps. See Microsoft Entra ID roles.

Setting up SAML SSO using Microsoft Entra ID consists of the following general steps:

  1. Create a custom enterprise app within Microsoft Entra ID.
  2. Set up SAML SSO for your new enterprise app.
  3. Add users to your new enterprise app.

Create a custom enterprise app

  1. Sign in to the Microsoft Entra admin center.
  2. Use the search bar to find and navigate to enterprise applications. Microsoft Entra admin center's Enterprise applications screen
  3. Click New application > Create your own application. A menu appears. Create your own application screen
  4. Name your new application something like Semgrep SAML.
  5. Select Integrate any other application you don't find in the gallery (non-gallery).
  6. Click Create. This takes you to your new enterprise application's page.

You have now created a custom enterprise app for Semgrep to integrate with Microsoft Entra ID. This enables you to set up SAML SSO.

Set up SAML SSO for your new enterprise app

  1. From your new enterprise app's page, go to Single-sign on > SAML. Enterprise application's Single-sign on menu option
  2. When prompted to Select a single sign-on method, select SAML. You are redirected to the SAML-based Sign-on page. SAML-based Sign-on screen
  3. In the Basic SAML Configuration section, click Edit. Provide the Entity ID and Reply URL. You can retrieve these values from Semgrep AppSec Platform by performing the following steps:
    1. Sign in to Semgrep AppSec Platform.
    2. Navigate to Settings > Access > Login methods.
    3. Click Add SSO configuration and select SAML2 SSO.
    4. Copy the Audience URL (SP Entity ID) value from Semgrep AppSec Platform. Return to Basic SAML Configuration. Click Add identifier to paste this value as the Identifier (Entity ID).
    5. Copy the SSO URL value from Semgrep AppSec Platform. Return to Basic SAML Configuration. Click Add reply URL to paste this value as the Reply URL (Assertion Consumer Service URL).
  4. Click Save and close out of Basic SAML Configuration.
  5. In the Attributes and Claims section, click Edit. You must add two claims. To add your first claim:
    1. Click Add new claim.
    2. Enter name in the Name field.
    3. For the Source attribute drop-down box, select user.displayname.
    4. Click Save.
  6. To add your second claim:
    1. Click Add new claim.
    2. Enter email in the Name field.
    3. From the Source attribute drop-down box, select user.mail.
    4. Click Save.
  7. Close out of Attributes & Claims.
  8. Navigate to Semgrep AppSec Platform, and provide the values required by the SAML2 form:
    1. Provide the Display name and the Email domain you are using for the integration.
    2. Copy the Login URL value from Microsoft Entra ID and paste it in into Semgrep AppSec Platform's IDP SSO URL field.
    3. Copy and paste the Microsoft Entra ID Identifier value into Semgrep AppSec Platform's IdP Issuer ID field.
    4. In Entra ID's SAML-based Sign-on page, click Download to obtain the Certificate (Base64).
    5. In Semgrep AppSec Platform, under Upload/Paste certificate, click Browse and then select the certificate you downloaded. Semgrep AppSec Platform's SAML2 configuration screen
  9. Select the box next to This SSO supports non-password authentication mechanisms (e.g. MFA, X509, PasswordLessPhoneSignin) if applicable.
  10. Click Save to proceed.

Add users to your new enterprise app

To add users to the application in so they can log in with their domain emails, refer to Assign users and groups to an application.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.