Microsoft Entra ID SAML Integration Guide
Suggest an editPrerequisites
- Administrator access to Microsoft Entra ID (Global Administrator or Domain Administrator role)
- A SplitSecure Identity Provider created and approved
- A verified custom domain in your Entra tenant (cannot federate the default
.onmicrosoft.comdomain) - Microsoft Graph PowerShell module installed on a Windows machine
- DNS access to verify domain ownership
- A separate browser or browser profile with SplitSecure configured (for testing)
Entra ID Configuration
1 Verify Your Custom Domain
Before configuring federation, ensure your custom domain is added and verified in Entra ID.
- Go to Microsoft Entra admin center → Domain names
- Click Add custom domain
- Enter your domain name (e.g.,
splitsecure.com) - Add the provided DNS TXT record to verify ownership
- Click Verify
You can verify via PowerShell:
Connect-MgGraph -Scopes "Domain.Read.All"
Get-MgDomain | Select-Object Id, IsVerified, AuthenticationType2 Gather SplitSecure IdP Information
From SplitSecure, collect the following information:
The following values can be found in SplitSecure at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details
| Field | Value |
|---|---|
| IdP Entity ID (Issuer URI) | Under SAML IdP Entity ID |
| SSO Login URL | Under SSO URL (POST) |
| Signing Certificate | Click Download Certificate |
3 Configure Domain Federation
Connect to Microsoft Graph PowerShell and configure federation. See Microsoft documentation for more details.
The following variables can be found at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details:
| Variables | In SplitSecure’s details page |
|---|---|
| IssuerUri | SAML IdP Entity ID |
| PassiveSignInUri | SSO URL (POST) |
| idptokensigningcert | Download Certificate (.crt) |
# Connect with required permissions
Connect-MgGraph -Scopes "Domain.ReadWrite.All"
# Set your variables
$Domain = "<yourdomain.com>"
$IssuerUri = "https://companion.splitsecure.com/saml/idp/<four-word-id-name>"
$PassiveSignInUri = "https://monolith.us-east-2.aws.splitsecure.com/saml2/sp/login"
# Load your signing certificate (base64 encoded, no headers)
$idptokensigningcert = [System.Security.Cryptography.X509Certificates.X509Certificate2]("C:\temp\certificate.crt")
$MySigningCert = [system.convert]::tobase64string($idptokensigningcert.rawdata)
# Create federation configuration
New-MgDomainFederationConfiguration `
-DomainId $Domain `
-IssuerUri $IssuerUri `
-PassiveSignInUri $PassiveSignInUri `
-SignOutUri $SignOutUri `
-SigningCertificate $SigningCert `
-PreferredAuthenticationProtocol "saml" `
-FederatedIdpMfaBehavior "acceptIfMfaDoneByFederatedIdp" `
-DisplayName "SplitSecure SAML IdP"4 Verify Federation Configuration
Get-MgDomainFederationConfiguration -DomainId "yourdomain.com" | Format-List *SplitSecure Configuration
1 Configure SplitSecure with Entra ID SP Details
Return to SplitSecure and configure the SAML application with Entra ID’s Service Provider details:
- In SplitSecure, navigate to Secure Accounts → Create Account → Microsoft Entra ID
- Enter a name for your account
- Select the Identity Provider
- Download the metadata file from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml and upload it
- Click Create Account
Provision Users
Before users can authenticate via federation, they must exist in Entra ID with matching attributes.
1 Create a Federated User
$Password = "P@ssw0rd!" + (-join ((65..90) + (97..122) + (48..57) | Get-Random -Count 8 | % {[char]$_}))
$PasswordProfile = @{ Password = "$Password" }
$params = @{
UserPrincipalName = "[email protected]"
DisplayName = "User Name"
AccountEnabled = $true
MailNickName = "username"
OnPremisesImmutableId = "unique-immutable-id-001"
PasswordProfile = $PasswordProfile
UsageLocation = "US"
}
New-MgUser -BodyParameter $paramsNote the UserPrincipalName and OnPremisesImmutableId fields - you’ll need them for testing.
2 Verify User Configuration
Get-MgUser -UserId "[email protected]" | Select-Object UserPrincipalName, OnPremisesImmutableId, IdIf the OnPremisesImmutableId is empty, go to Entra ID → Users → [click on your user] → [click Properties]
Test Authentication
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
1 Test Authentication (SP-Initiated)
- Navigate to https://entra.microsoft.com/
- Enter the user’s email address (e.g.,
[email protected]) - You should be redirected to SplitSecure for authentication
- Give the user’s UPN and OnPremisesImmutableId
- Complete the authentication flow
Use this URL to check federation status for a user: https://login.microsoftonline.com/[email protected]&json=1
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| No tenant-identifying information found | Issuer doesn’t match federation config | Ensure Issuer URI exactly matches (no whitespace) |
| User not found | User doesn’t exist in Entra ID | Provision user with matching UPN on federated domain |
| User not found (NameID mismatch) | NameID doesn’t match OnPremisesImmutableId | Ensure OnPremisesImmutableId exactly matches |
External Resources
- Entra ID SP Metadata — Service provider metadata file
- SAML Protocol Documentation — Federation configuration guide
- Microsoft Graph PowerShell — PowerShell module for Graph API