Skip to content
Contact Support
  • There are no suggestions because the search field is empty.

Setting Up Single Sign-On with Microsoft Entra ID 🔐

As you may have heard, Microsoft Azure AD is now called Microsoft Entra ID. By using Entra ID SSO, your team won't need to remember an extra password to get into Haystack. Plus, you can manage access to Haystack right from one central control panel.

📣 Since this process is a bit technical, we highly recommend your IT team helps out with the setup.

Step 1: Create a New SAML Application in Entra

First, you'll need to create a new application in your Entra admin center.

  1. Sign in to the Microsoft Entra admin center.

  2. Go to Enterprise Applications.

  3. Click +New Application, then +Create Your Own Application.

  4. Add an App Name (we suggest Haystack or the name of your intranet).

  5. Select "Integrate any other application you don't find in the gallery (non-gallery)".

  6. Click Create.

Step 2: Configure SSO for Your SAML Application

Now, let's connect your new app to Haystack.

  1. Click on Single sign-on in the left-hand menu of your SAML application.

  2. Choose SAML as your single sign-on method.

  3. Edit the Basic SAML Configuration to match the fields below. Be sure to replace "subdomain" with your company's Haystack subdomain in each of the URLs. If you're not sure what your subdomain is, just reach out to your Haystack CSM or our support team.

    • Identifier (Entity ID): https://subdomain.haystack.so/api/saml/metadata

    • Reply URL (ACS URL): https://subdomain.haystack.so/api/saml/acs

    • Sign on URL: https://subdomain.haystack.so/login

  4. Next, configure the Attributes and Claims. For Unique User Identifier, make sure it's set to user.mail.

  5. Finally, in the SAML Signing Certificate section, copy the App Federation Metadata URL to your clipboard.

Step 3: Complete the SSO Setup in Haystack

Almost there! Now, let's finish the process in Haystack.

Only users with Workspace Admin and Access Control Admin permissions can do the following. If you don't have these, ask your platform admins or our support team for help.

  • Click the account dropdown in the top right corner and select Admin Console.

  • In the left-hand navigation menu, click User Provision & Login.

  • Toggle on Login with SAML.

  • Paste the URL you copied earlier into the IDP metadata URL box.

  • If needed, you can also configure your session timeout days.

  • Click Save User Login Options at the bottom of the page.

And that’s it! Your single sign-on with Entra ID is now configured. When logging in, your users can simply click the "Continue with Microsoft" button. You can also assign users or groups to the app as needed, but keep in mind this process won't automatically provision their accounts.

Keywords: Microsoft Entra ID, Azure AD, SAML, single sign-on, SSO, setup, login, authentication, admin, IT, guide, instructions