How to set up an Entra ID Enterprise App for SignSpace SSO
Last updated
🇬🇧 English
Last updated
Learn how to add Enterprise Application in Entra ID and configure it to use with SignSpace to enable SSO.
To create Enterprise Application in Entra ID, user must at least have Cloud Application Administrator or Application Administrator role in Entra ID.
Follow these configuration steps to set up SSO for SignSpace.
In Entra ID dashboard got to Applications →
Enterprise Applications → New Application .
From App gallery search AWS Single-Account Access.
In the right corner provide app name, click Create.
Return to Enterprise applications list. Select newly created application, got to Single sign-on.
Select SAML.
In Basic SAML Configuration card click Edit.
In identifier field, add this value: urn:amazon:cognito:sp:eu-north-1_U4Od0xofm.
Reply URL, add this value: https://3e3da9b8-3b83-9aaf-e45a-9a8d77989e34.auth.eu-north-1.amazoncognito.com/saml2/idpresponse
Logout URL, add this value: https://app.signspace.com/srv/logout/
Why logout URL should be added?
When a user logs out from SignSpace, they must also be logged out of Entra ID. This process is triggered by redirecting to the Cognito logout URL, which also logs the user out of Entra ID before returning them to SignSpace. If the logout URL is not set, the user will remain on the Entra ID logout page and will not be redirected back to SignSpace.
Click Save
In Attributes & Claims card select Edit .
Add new claims under additional claims
We need these fields:
givenname - first name,
surname - last name,
email - automatically created name uses user.userprincipalname, which is email,
phonenumber - in international format (+<country_code><number>),
permissions - is a string field, where company code, role, permissions are stored. This is the format: [{'org': <ID1>, 'role': <basic>, 'perms': [<perm1>, <perm2>], 'groups': [<group1>, <group2>]}, {'org': <ID2>, 'role': <basic>, 'perms': [<perm1>, <perm2>], 'groups': [<group1>, <group2>]}]
Detailed specification provided earlier. If this field is not provided, user will be assigned to main organisation, role basic , no permissions, no groups. This field is a custom field, that Entra ID specialist should be able to create and map accordingly.
Preview of claim management
Use this namespace for fields: http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
If all users will have same permissions, static line to permissions claim can be added. It should be added in source attribute field. Instead of choosing attribute, static string can be entered in search area, and after pressing Enter on keyboard, this string will stay:
Example line:
[{"org": "123456789","role": "basic", "perms": ["sign_enabled", "request_enabled"], "groups": []}]
This means, that user will be assigned to organisation (business ID: 123456789) as basic user, and will have “sign_enabled” and “request_enabled” permissions.
After an app is created, users, who can login with that app must be assigned in Users and Groups
Click Add user/group:
Test this application is optional, but not required. This will provide information, if all the claims are provided. Also download SAML response is useful, when we need to map fields in cognito side.
Learn how to integrate AWS Single-Account Access with Microsoft Entra ID:
Contact the SignSpace team for more information: customerservice@signspace.com
After all the fields assigned, from SAML Certificates card we need App Federation Metadata Url or Federation Metadata XML file. This URL is preferred.
g
At first, select None Selected , then select users , who can use this SSO, click Select
