circle-info
Browser extension has been released. Send recordings with annotations and more.
Get it nowarrow-up-right
search
PricingContact SupportEnterpriseHomepageSign Up

SAML SSO with Azure AD

Configure SAML SSO with Azure AD

This guide walks through setting up SAML single sign-on between Microsoft Entra ID (formerly Azure Active Directory) and Screendesk. After completing these steps, your team members can log in to Screendesk using their Microsoft credentials.

circle-info

Plan Availability: Enterprise only

circle-info

Before starting, make sure you have admin access to both the Microsoft Entra admin center and your Screendesk workspace. You will also need your Screendesk service provider details — find them in Account Settings → Security → SAML SSO.

hashtag
Configuration Overview

Setting up SAML SSO with Microsoft Entra ID involves creating an enterprise application in the Entra admin center, configuring SAML settings on both sides, and assigning users.

You will need these Screendesk values for the Microsoft side:

Screendesk Field
Value

Reply URL (ACS URL)

https://app.screendesk.io/saml_callback

Identifier (Entity ID)

urn:screendesk.io:saml

hashtag
Step 1 — Create an Enterprise Application in Entra ID

1

hashtag
Open the Entra admin center

Sign in at entra.microsoft.comarrow-up-right and navigate to Identity → Applications → Enterprise applications.

2

hashtag
Create a new application

Click New application, then click Create your own application.

  • Enter Screendesk as the name.

  • Select Integrate any other application you don't find in the gallery (Non-gallery).

  • Click Create.

3

hashtag
Open SAML configuration

On the application's overview page, click Single sign-on in the left sidebar, then select SAML as the single sign-on method.

4

hashtag
Edit Basic SAML Configuration

Click Edit on the Basic SAML Configuration card and enter:

Field
Value

Identifier (Entity ID)

urn:screendesk.io:saml

Reply URL (Assertion Consumer Service URL)

https://app.screendesk.io/saml_callback

Sign on URL

Leave blank

Relay State

Leave blank

Logout URL

Leave blank

Click Save.

5

hashtag
Configure Attributes & Claims

Click Edit on the Attributes & Claims card. Verify or set the following:

Required claim:

Claim
Value

Unique User Identifier (Name ID)

user.userprincipalname or user.mail (must be the user's email address)

Additional claims (these should already be present by default in Entra ID):

Claim name
Source attribute

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

user.mail

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

user.givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

user.surname

http://schemas.microsoft.com/identity/claims/displayname

user.displayname

circle-info

Entra ID includes these claims by default for new enterprise applications, so you typically won't need to add them manually. Just confirm they are present.

Click Save if you made changes.

6

hashtag
Copy the Entra IdP details

Scroll down to the SAML Certificates card and the Set up Screendesk card. You will need three values:

  • Login URL — Copy this. You will paste it as the Single Sign On URL in Screendesk.

  • Microsoft Entra Identifier — Copy this. You will paste it as the IDP Entity ID in Screendesk.

  • Certificate (Base64) — Click Download next to "Certificate (Base64)." You will paste its contents as the IDP Certificate in Screendesk.

7

hashtag
Assign users and groups

In the left sidebar, click Users and groups, then click Add user/group. Select the users or groups who should have access to Screendesk and click Assign.

circle-exclamation

Only users assigned to the enterprise application (directly or via group membership) will be able to log in via SAML. Unassigned users will receive an error from Microsoft.

hashtag
Step 2 — Configure Screendesk

1

hashtag
Open SAML SSO settings

In Screendesk, go to Account Settings → Security → SAML SSO and click Edit SAML SSO Settings.

2

hashtag
Enter the Entra IdP details

Using the values you copied from the Entra admin center in Step 1:

Screendesk Field
Value from Entra ID

SSO Domain

Your company's email domain (e.g., yourcompany.com)

IDP Entity ID

The Microsoft Entra Identifier

Single Sign On URL

The Login URL

IDP Certificate

The contents of the downloaded Base64 certificate. Open it in a text editor and paste the full text, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

3

hashtag
Save the configuration

Click Save Changes.

hashtag
Step 3 — Test the Connection

1

hashtag
Use the Entra test feature

On the enterprise application's Single sign-on page in Entra, click Test this application. This will simulate a SAML login and show detailed results.

2

hashtag
Test from the Screendesk login page

Open an incognito window, go to the Screendesk login page, click Sign in with SAML SSO, and enter an email address that belongs to your SSO domain. You should be redirected to Microsoft's login page and then signed in to Screendesk.

hashtag
Troubleshooting

chevron-right"SAML Authentication failed" errorhashtag

This usually means the SAML response signature could not be verified. Check the following:

  • The IDP Certificate in Screendesk matches the Base64 certificate downloaded from Entra. Make sure you pasted the full PEM text including header and footer lines.

  • The Reply URL in Entra matches https://app.screendesk.io/saml_callback exactly.

  • The Identifier in Entra matches urn:screendesk.io:saml exactly.

chevron-right"AADSTS700016" or application not found errorhashtag

This means the user is not assigned to the Screendesk enterprise application in Entra. Go to Users and groups on the application page and add the user or their group.

chevron-rightName or email not appearing correctly in Screendeskhashtag

Verify the Attributes & Claims in Entra are configured correctly. The NameID must resolve to the user's email address. If your organization uses user.userprincipalname values that differ from actual email addresses, switch the NameID source to user.mail instead.

chevron-rightNew users get "Ask your IT administrator" messagehashtag

This means Automatic account creation is turned off in your Screendesk SAML settings. Either enable it in Account Settings → Security → SAML SSO, or manually create the user's Screendesk account before they try to log in.

PreviousSAML SSONextSAML SSO with Google Workspace

Last updated

Was this helpful?