Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through setting up SAML 2.0 single sign-on between TrueFoundry and Microsoft Entra ID (formerly Azure Active Directory). Once finished, members of your Entra tenant can sign in to TrueFoundry through a Login with Azure AD button.

Prerequisites

  • A TrueFoundry tenant with Admin access to Settings → Security & Access → SSO.
  • A Microsoft Entra ID tenant with permission to create Enterprise Applications (Cloud Application Administrator or higher).
You’ll bounce between the Entra admin center and the TrueFoundry SSO settings. Keep both open in adjacent tabs to copy-paste values quickly.

Configuration overview

1

Create the SSO configuration in TrueFoundry

Save a SAML SSO configuration in TrueFoundry to surface the Reply URL, Identifier (Entity ID), and Relay URL.
2

Create an Enterprise Application in Entra

Register a non-gallery Enterprise Application that Truefoundry will federate with.
3

Configure the SAML connection on both sides

Paste TrueFoundry’s values into Entra, then paste Entra’s IdP values back into TrueFoundry.
4

Assign users and test

Assign users or groups to the Entra application and sign in to verify.

Step 1 — Create the SSO configuration in TrueFoundry

1

Open SSO settings

Go to Settings → Security & Access → SSO.Click the + icon labeled Add New SSO Config.
TrueFoundry SSO settings page with the Add New SSO Config plus button highlighted
2

Fill in the basic fields

  • Enabled: turn this on.
  • Name: a lowercase alphanumeric label — for example, entraidsaml.
  • SSO Provider: choose Azure AD.
  • Authentication Configuration: select SAML v2.
Leave Identity Provider Endpoint and X.509 Certificate blank for now — you’ll fill them in once Entra surfaces those values.
3

Save to reveal the Reply URL, Identifier (Entity ID), and Relay URL

Click Save. TrueFoundry displays the values you need for Entra on the SSO configuration card:
  • Identifier (Entity ID) in Entra — Audience URI (SP Entity ID) in TrueFoundry.
  • Reply URL (Assertion Consumer Service URL) in Entra — Single Sign On URL in TrueFoundry.
  • Relay State in Entra — Relay URL in TrueFoundry.
TrueFoundry SSO configuration card displaying Audience URI, Single Sign On URL, Metadata URL, and Relay URL for Azure AD SAML setup

Step 2 — Create an Enterprise Application in Entra

1

Open the Microsoft Entra admin center

Sign in to the Microsoft Entra admin center as an administrator.In the left navigation, expand Identity → Applications and select Enterprise applications.
Microsoft Entra admin center showing the Enterprise applications page with the New application button highlighted
2

Create a new application

Click New application at the top of the Enterprise applications page, then select Create your own application.
  1. Give the application a name — for example, TrueFoundry.
  2. Choose Integrate any other application you don’t find in the gallery (Non-gallery).
  3. Click Create. It may take a few seconds for Entra to finish provisioning the application.
Create your own application panel with a name field and the non-gallery option selected
3

Open single sign-on

From your application’s Overview page, click Set single sign on, then select the SAML tile.
Select a single sign-on method screen in Entra with the SAML tile highlighted

Step 3 — Enter TrueFoundry’s details into Entra

On the Set up Single Sign-On with SAML page for the application you created in Step 2, edit the Basic SAML Configuration card using the Reply URL, Identifier (Entity ID), and Relay State from Step 1.
1

Edit Basic SAML Configuration

Click the pencil icon on Basic SAML Configuration and enter the values from TrueFoundry:
Entra fieldValue from TrueFoundry
Identifier (Entity ID)Audience URI (SP Entity ID)
Reply URL (Assertion Consumer Service URL)Single Sign On URL
Relay StateRelay URL
Click Save at the top of the panel and close it.
Entra Set up Single Sign-On with SAML page with the Basic SAML Configuration edit button highlighted
Entra Basic SAML Configuration panel showing the Identifier, Reply URL, and Relay State fields
2

Add email and sub claims

From the Attributes & Claims card, click Add new claim and create two additional claims. Leave all other settings at their defaults — including the required Unique User Identifier (Name ID) claim and Entra’s built-in schema claims.

Add the email claim

  1. Click Add new claim.
  2. Set Name to email.
  3. Leave Namespace blank and Name format as Omitted (default).
  4. Under Source, select Attribute and set Source attribute to user.userprincipalname.
  5. Click Save.
Entra Manage claim panel with Name set to email and Source attribute set to user.userprincipalname

Add the sub claim

  1. Click Add new claim again.
  2. Set Name to sub.
  3. Leave Namespace blank and Name format as Omitted (default).
  4. Under Source, select Attribute and set Source attribute to user.objectid.
  5. Click Save.
Entra Manage claim panel with Name set to sub and Source attribute set to user.objectid
When finished, your Attributes & Claims page should include email and sub alongside Entra’s default claims:
Claim nameSource attribute
Unique User Identifier (Name ID)user.userprincipalname
emailuser.userprincipalname
subuser.objectid
Entra Attributes and Claims page showing email and sub claims alongside the default SAML claims

Step 4 — Copy Entra’s details back to TrueFoundry

Scroll down on Entra’s Set up Single Sign-On with SAML page to the SAML Certificates and Set up <Your App> cards.
1

Download the signing certificate

Under SAML Certificates, click Download next to Certificate (Base64).Open the downloaded .cer file in a text editor and copy the entire contents — including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
Entra SAML Certificates section with the Certificate Base64 download link
2

Copy the Login URL

From the Set up <Your App> card, copy the Login URL.
Entra Set up application card showing the Login URL field with copy button
3

Paste into TrueFoundry

Return to Settings → Security & Access → SSO in TrueFoundry and edit the SSO configuration you created in Step 1. Set:
  • Identity Provider Endpoint → the Login URL from Entra.
  • X.509 Certificate → the certificate text you copied from the .cer file.
Click Save.

Step 5 — Assign users in Entra

Entra only lets users sign in to applications they’ve been explicitly assigned to.
1

Open Users and groups

Inside your Entra application, click Users and groups in the left sidebar, then Add user/group.
Entra application Users and groups page with the Add user/group button highlighted
2

Select who can sign in

Pick the individual users or security groups that should have access to TrueFoundry and click Assign.
Entra Add Assignment page with the Users selector showing None Selected
Entra Add Assignment page with 1 user selected and the Assign button highlighted
Users who are not assigned to the Entra application will see a “no access” error when they click Login Azure AD in TrueFoundry.

Step 6 — Test single sign-on

  1. Open a private/incognito window and go to your TrueFoundry login page.
  2. Click Login with Azure AD (or whichever button label you chose under Show advanced fields → Button Text).
  3. Authenticate with an Entra user that you assigned to the application.
If the sign-in succeeds you’ll land in the TrueFoundry dashboard. The user is created automatically if JIT provisioning is on, otherwise they must already exist in TrueFoundry or be invited.

Optional next steps

Troubleshooting

Check the provisioning mode under Settings → Security & Access → Provisioning:
  • Invite-only — the user must be invited from Access → Users first.
  • JIT — the user is created on first login automatically.
  • SCIM — the user must be synced from your IdP first. See SCIM with Microsoft Entra ID.
The Entra user isn’t assigned to your application. Go back to Step 5 and assign them under Users and groups.
The certificate copied into TrueFoundry doesn’t match Entra’s active signing certificate. Re-download Certificate (Base64) from Entra and paste the full PEM (including the BEGIN/END lines) into TrueFoundry.
Confirm you added the email and sub claims under Attributes & Claims as described in Step 3. If those claims are missing or mapped incorrectly, TrueFoundry cannot read the user’s email or unique ID from the SAML response.