How to set up an Entra ID Enterprise App for SignSpace SSO

Learn how to add Enterprise Application in Entra ID and configure it to use with SignSpace to enable SSO.

Preconditions

To create Enterprise Application in Entra ID, user must at least have Cloud Application Administrator or Application Administrator role in Entra ID.

Configuration process

Follow these configuration steps to set up SSO for SignSpace.

In Entra ID dashboard got to Applications

Enterprise Applications New Application .

From App gallery search AWS Single-Account Access.

In the right corner provide app name, click Create.

Return to Enterprise applications list. Select newly created application, got to Single sign-on.

Select SAML.

In Basic SAML Configuration card click Edit.

In identifier field, add this value: urn:amazon:cognito:sp:eu-north-1_U4Od0xofm.

Reply URL, add this value: https://3e3da9b8-3b83-9aaf-e45a-9a8d77989e34.auth.eu-north-1.amazoncognito.com/saml2/idpresponse

Logout URL, add this value: https://app.signspace.com/srv/logout/

Why logout URL should be added?

When a user logs out from SignSpace, they must also be logged out of Entra ID. This process is triggered by redirecting to the Cognito logout URL, which also logs the user out of Entra ID before returning them to SignSpace. If the logout URL is not set, the user will remain on the Entra ID logout page and will not be redirected back to SignSpace.

Click Save

In Attributes & Claims card select Edit .

Add new claims under additional claims

We need these fields:

givenname - first name,

surname - last name,

email - automatically created name uses user.userprincipalname, which is email,

phonenumber - in international format (+<country_code><number>),

permissions - is a string field, where company code, role, permissions are stored. This is the format: [{"org": <ID1>, "role": "basic", "perms": ["perm1", "perm2"], "groups": ["group1", "group2"]}, {"org": <ID2>, "role": "basic", "perms": ["perm1", "perm2"], "groups": ["group1", "group2"]}]

Detailed specification provided earlier. If this field is not provided, user will be assigned to main organisation, role basic , no permissions, no groups. This field is a custom field, that Entra ID specialist should be able to create and map accordingly.

Detailed explanations of permissions field:

  • org - business ID, type: string, example: “1234567-1”, MANDATORY;

  • role - user role, type: string, example: “basic”(if role is left empty, default is “basic”), OPTIONAL, available choices: “basic”, “main”;

  • groups - user groups, type: list of strings, example: [“group:66c2f6eb7c62df056d4699e1”]), OPTIONAL;

  • perms - permissions to user, type: list of strings, example: [“sign_enabled“, “request_enabled”], OPTIONAL, available choices:

Permission

ID (enabled)

ID (disabled)

Signing

sign_enabled

sign_disabled

Groups create

group_enabled

group_disabled

Request create

request_enabled

request_disabled

Batch signing

batch_enabled

batch_disabled

Deletion

del_enabled

del_disabled

Preview of claim management

Use this namespace for fields: http://schemas.xmlsoap.org/ws/2005/05/identity/claims.

If all users will have same permissions, static line to permissions claim can be added. It should be added in source attribute field. Instead of choosing attribute, static string can be entered in search area, and after pressing Enter on keyboard, this string will stay:

Example line:

[{"org": "1234567-8","role": "basic", "perms": ["sign_enabled", "request_enabled", "group_enabled", "batch_enabled"], "groups": ["group:65e6d7959c16477da96522f7"]}]

This means, that user will be assigned to organisation with business ID 1234567-8 as a basic user, and will have signing, groups create, requests create and batch signing permissions. User is added to group, with ID group:65e6d7959c16477da96522f7 as a basic member.

After all the fields assigned, from SAML Certificates card we need App Federation Metadata Url or Federation Metadata XML file. This URL is preferred.

After an app is created, users, who can login with that app must be assigned in Users and Groups

Click Add user/group:

At first, select None Selected , then select users , who can use this SSO, click Select

Test this application is optional, but not required. This will provide information, if all the claims are provided. Also download SAML response is useful, when we need to map fields in cognito side.

For more information

Learn how to integrate AWS Single-Account Access with Microsoft Entra ID:

Tutorial: Microsoft Entra SSO integration with AWS Single-Account Access - Microsoft Entra ID

Contact the SignSpace team for more information: [email protected]

Last updated