# SAML SSO with Azure AD
This guide walks through setting up SAML single sign-on between Microsoft Entra ID (formerly Azure Active Directory) and Screendesk. After completing these steps, your team members can log in to Screendesk using their Microsoft credentials.
{% hint style="info" %}
**Plan Availability:** Enterprise only
{% endhint %}
{% hint style="info" %}
Before starting, make sure you have admin access to both the **Microsoft Entra admin center** and your **Screendesk workspace**. You will also need your Screendesk service provider details — find them in **Account Settings → Security → SAML SSO**.
{% endhint %}
***
### Configuration Overview
Setting up SAML SSO with Microsoft Entra ID involves creating an enterprise application in the Entra admin center, configuring SAML settings on both sides, and assigning users.
You will need these Screendesk values for the Microsoft side:
| Screendesk Field | Value |
| -------------------------- | ----------------------------------------- |
| **Reply URL (ACS URL)** | `https://app.screendesk.io/saml_callback` |
| **Identifier (Entity ID)** | `urn:screendesk.io:saml` |
***
### Step 1 — Create an Enterprise Application in Entra ID
{% stepper %}
{% step %}
#### Open the Entra admin center
Sign in at [entra.microsoft.com](https://entra.microsoft.com) and navigate to **Identity → Applications → Enterprise applications**.
{% endstep %}
{% step %}
#### Create a new application
Click **New application**, then click **Create your own application**.
* Enter **Screendesk** as the name.
* Select **Integrate any other application you don't find in the gallery (Non-gallery)**.
* Click **Create**.
{% endstep %}
{% step %}
#### Open SAML configuration
On the application's overview page, click **Single sign-on** in the left sidebar, then select **SAML** as the single sign-on method.
{% endstep %}
{% step %}
#### Edit Basic SAML Configuration
Click **Edit** on the **Basic SAML Configuration** card and enter:
| Field | Value |
| ---------------------------------------------- | ----------------------------------------- |
| **Identifier (Entity ID)** | `urn:screendesk.io:saml` |
| **Reply URL (Assertion Consumer Service URL)** | `https://app.screendesk.io/saml_callback` |
| **Sign on URL** | Leave blank |
| **Relay State** | Leave blank |
| **Logout URL** | Leave blank |
Click **Save**.
{% endstep %}
{% step %}
#### Configure Attributes & Claims
Click **Edit** on the **Attributes & Claims** card. Verify or set the following:
**Required claim:**
| Claim | Value |
| ------------------------------------ | -------------------------------------------------------------------------- |
| **Unique User Identifier (Name ID)** | `user.userprincipalname` or `user.mail` (must be the user's email address) |
**Additional claims** (these should already be present by default in Entra ID):
| Claim name | Source attribute |
| -------------------------------------------------------------------- | ------------------ |
| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | `user.mail` |
| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname` | `user.givenname` |
| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` | `user.surname` |
| `http://schemas.microsoft.com/identity/claims/displayname` | `user.displayname` |
{% hint style="info" %}
Entra ID includes these claims by default for new enterprise applications, so you typically won't need to add them manually. Just confirm they are present.
{% endhint %}
Click **Save** if you made changes.
{% endstep %}
{% step %}
#### Copy the Entra IdP details
Scroll down to the **SAML Certificates** card and the **Set up Screendesk** card. You will need three values:
* **Login URL** — Copy this. You will paste it as the **Single Sign On URL** in Screendesk.
* **Microsoft Entra Identifier** — Copy this. You will paste it as the **IDP Entity ID** in Screendesk.
* **Certificate (Base64)** — Click **Download** next to "Certificate (Base64)." You will paste its contents as the **IDP Certificate** in Screendesk.
{% endstep %}
{% step %}
#### Assign users and groups
In the left sidebar, click **Users and groups**, then click **Add user/group**. Select the users or groups who should have access to Screendesk and click **Assign**.
{% hint style="warning" %}
Only users assigned to the enterprise application (directly or via group membership) will be able to log in via SAML. Unassigned users will receive an error from Microsoft.
{% endhint %}
{% endstep %}
{% endstepper %}
***
### Step 2 — Configure Screendesk
{% stepper %}
{% step %}
#### Open SAML SSO settings
In Screendesk, go to **Account Settings → Security → SAML SSO** and click **Edit SAML SSO Settings**.
{% endstep %}
{% step %}
#### Enter the Entra IdP details
Using the values you copied from the Entra admin center in Step 1:
| Screendesk Field | Value from Entra ID |
| ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **SSO Domain** | Your company's email domain (e.g., `yourcompany.com`) |
| **IDP Entity ID** | The **Microsoft Entra Identifier** |
| **Single Sign On URL** | The **Login URL** |
| **IDP Certificate** | The contents of the downloaded Base64 certificate. Open it in a text editor and paste the full text, including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines. |
| {% endstep %} | |
{% step %}
#### Save the configuration
Click **Save Changes**.
{% endstep %}
{% endstepper %}
***
### Step 3 — Test the Connection
{% stepper %}
{% step %}
#### Use the Entra test feature
On the enterprise application's **Single sign-on** page in Entra, click **Test this application**. This will simulate a SAML login and show detailed results.
{% endstep %}
{% step %}
#### Test from the Screendesk login page
Open an incognito window, go to the Screendesk login page, click **Sign in with SAML SSO**, and enter an email address that belongs to your SSO domain. You should be redirected to Microsoft's login page and then signed in to Screendesk.
{% endstep %}
{% endstepper %}
***
### Troubleshooting
"SAML Authentication failed" error
This usually means the SAML response signature could not be verified. Check the following:
* The **IDP Certificate** in Screendesk matches the Base64 certificate downloaded from Entra. Make sure you pasted the full PEM text including header and footer lines.
* The **Reply URL** in Entra matches `https://app.screendesk.io/saml_callback` exactly.
* The **Identifier** in Entra matches `urn:screendesk.io:saml` exactly.
"AADSTS700016" or application not found error
This means the user is not assigned to the Screendesk enterprise application in Entra. Go to **Users and groups** on the application page and add the user or their group.
Name or email not appearing correctly in Screendesk
Verify the **Attributes & Claims** in Entra are configured correctly. The NameID must resolve to the user's email address. If your organization uses `user.userprincipalname` values that differ from actual email addresses, switch the NameID source to `user.mail` instead.
New users get "Ask your IT administrator" message
This means **Automatic account creation** is turned off in your Screendesk SAML settings. Either enable it in **Account Settings → Security → SAML SSO**, or manually create the user's Screendesk account before they try to log in.