# How to set up an Entra ID Enterprise App for SignSpace SSO
Learn how to add Enterprise Application in Entra ID and configure it to use with SignSpace to enable SSO.
### Preconditions
To create Enterprise Application in Entra ID, user must at least have Cloud Application Administrator or Application Administrator role in Entra ID.
### Configuration process
Follow these configuration steps to set up SSO for SignSpace.
In Entra ID dashboard got to **Applications** →
**Enterprise Applications** → **New Application** **.**
From App gallery search **AWS Single-Account Access.**
In the right corner provide app name, click **Create**.
Return to Enterprise applications list. Select newly created application, got to **Single sign-on.**
Select **SAML**.
In **Basic SAML Configuration** card click **Edit**.
In identifier field, add this value: `urn:amazon:cognito:sp:eu-north-1_U4Od0xofm`.
Reply URL, add this value: [*https://3e3da9b8-3b83-9aaf-e45a-9a8d77989e34.auth.eu-north-1.amazoncognito.com/saml2/idpresponse*](https://3e3da9b8-3b83-9aaf-e45a-9a8d77989e34.auth.eu-north-1.amazoncognito.com/saml2/idpresponse)
Logout URL, add this value:
{% hint style="info" %}
**Why logout URL should be added?**
When a user logs out from SignSpace, they must also be logged out of Entra ID. This process is triggered by redirecting to the Cognito logout URL, which also logs the user out of Entra ID before returning them to SignSpace. If the logout URL is not set, the user will remain on the Entra ID logout page and will not be redirected back to SignSpace.
{% endhint %}
Click Save
In **Attributes & Claims** card select **Edit** .
Add new claims under additional claims
We need these fields:
**givenname** *-* first name,
**surname** - last name,
**email** *-* automatically created name uses user.userprincipalname, which is email,
**phonenumber** - in international format (+\\),
**permissions** - is a string field, where company code, role, permissions are stored. This is the format: `[{"org": , "role": "basic", "perms": ["perm1", "perm2"], "groups": ["group1", "group2"]}, {"org": , "role": "basic", "perms": ["perm1", "perm2"], "groups": ["group1", "group2"]}]`
Detailed specification provided earlier. If this field is not provided, user will be assigned to main organisation, role *basic* , no permissions, no groups. This field is a custom field, that Entra ID specialist should be able to create and map accordingly.
Detailed explanations of **permissions** field:
* **org** - business ID, type: string, example: “1234567-1”, MANDATORY;
* **role** - user role, type: string, example: “basic”(if role is left empty, default is “basic”), OPTIONAL, available choices: “basic”, “main”;
* **groups** - user groups, type: list of strings, example: \[“group:66c2f6eb7c62df056d4699e1”]), OPTIONAL;
* **perms** - permissions to user, type: list of strings, example: \[“sign\_enabled“, “request\_enabled”], OPTIONAL, available choices:
| **Permission** | **ID (enabled)** | **ID (disabled)** |
| -------------- | ---------------- | ----------------- |
| Signing | sign\_enabled | sign\_disabled |
| Groups create | group\_enabled | group\_disabled |
| Request create | request\_enabled | request\_disabled |
| Batch signing | batch\_enabled | batch\_disabled |
| Deletion | del\_enabled | del\_disabled |
*Preview of claim management*
Use this namespace for fields: [*http://schemas.xmlsoap.org/ws/2005/05/identity/claims*](http://schemas.xmlsoap.org/ws/2005/05/identity/claims).
If all users will have same permissions, static line to **permissions** claim can be added. It should be added in **source attribute** field. Instead of choosing attribute, static string can be entered in search area, and after pressing **Enter** on keyboard, this string will stay:
Example line:
`[{"org": "1234567-8","role": "basic", "perms": ["sign_enabled", "request_enabled", "group_enabled", "batch_enabled"], "groups": ["group:65e6d7959c16477da96522f7"]}]`
This means, that user will be assigned to organisation with business ID `1234567-8` as a basic user, and will have signing, groups create, requests create and batch signing permissions. User is added to group, with ID `group:65e6d7959c16477da96522f7` as a basic member.
After all the fields assigned, from **SAML Certificates** card we need **App Federation Metadata Url** or **Federation Metadata XML** file. This URL is preferred.
After an app is created, users, who can login with that app must be assigned in **Users and Groups**
Click Add user/group:
At first, select **None Selected** , then select users , who can use this SSO, click **Select**
**Test this application** is optional, but not required. This will provide information, if all the claims are provided. Also download SAML response is useful, when we need to map fields in cognito side.
### For more information
Learn how to integrate AWS Single-Account Access with Microsoft Entra ID:
[Tutorial: Microsoft Entra SSO integration with AWS Single-Account Access - Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/saas-apps/amazon-web-service-tutorial)
Contact the SignSpace team for more information:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://guide.signspace.com/en/managing-your-organisation-account/how-to-set-up-an-entra-id-enterprise-app-for-signspace-sso.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
→ **New Application** 
**.**
