How to set up an Entra ID Enterprise App for SignSpace SSO
Last updated
🇬🇧 English
Last updated
Learn how to add Enterprise Application in Entra ID and configure it to use with SignSpace to enable SSO.
To create Enterprise Application in Entra ID, user must at least have Cloud Application Administrator or Application Administrator role in Entra ID.
Follow these configuration steps to set up SSO for SignSpace.
In Entra ID dashboard got to Applications →
Enterprise Applications → New Application .
From App gallery search AWS Single-Account Access.
In the right corner provide app name, click Create.
Return to Enterprise applications list. Select newly created application, got to Single sign-on.
Select SAML.
In Basic SAML Configuration card click Edit.
In identifier field, add this value: urn:amazon:cognito:sp:eu-north-1_U4Od0xofm.
Click Save
In Attributes & Claims card select Edit .
Add new claims under additional claims
We need these fields:
givenname - first name,
surname - last name,
email - automatically created name uses user.userprincipalname, which is email,
phonenumber - in international format (+<country_code><number>),
permissions - is a string field, where company code, role, permissions are stored. This is the format: [{"org": <ID1>, "role": "basic", "perms": ["perm1", "perm2"], "groups": ["group1", "group2"]}, {"org": <ID2>, "role": "basic", "perms": ["perm1", "perm2"], "groups": ["group1", "group2"]}]
Detailed specification provided earlier. If this field is not provided, user will be assigned to main organisation, role basic , no permissions, no groups. This field is a custom field, that Entra ID specialist should be able to create and map accordingly.
Detailed explanations of permissions field:
org - business ID, type: string, example: “1234567-1”, MANDATORY;
role - user role, type: string, example: “basic”(if role is left empty, default is “basic”), OPTIONAL, available choices: “basic”, “main”;
groups - user groups, type: list of strings, example: [“group:66c2f6eb7c62df056d4699e1”]), OPTIONAL;
perms - permissions to user, type: list of strings, example: [“sign_enabled“, “request_enabled”], OPTIONAL, available choices:
Permission
ID (enabled)
ID (disabled)
Signing
sign_enabled
sign_disabled
Groups create
group_enabled
group_disabled
Request create
request_enabled
request_disabled
Batch signing
batch_enabled
batch_disabled
Deletion
del_enabled
del_disabled
Preview of claim management
If all users will have same permissions, static line to permissions claim can be added. It should be added in source attribute field. Instead of choosing attribute, static string can be entered in search area, and after pressing Enter on keyboard, this string will stay:
Example line:
[{"org": "1234567-8","role": "basic", "perms": ["sign_enabled", "request_enabled", "group_enabled", "batch_enabled"], "groups": ["group:65e6d7959c16477da96522f7"]}]
This means, that user will be assigned to organisation with business ID 1234567-8 as a basic user, and will have signing, groups create, requests create and batch signing permissions. User is added to group, with ID group:65e6d7959c16477da96522f7 as a basic member.
After an app is created, users, who can login with that app must be assigned in Users and Groups
Click Add user/group:
Test this application is optional, but not required. This will provide information, if all the claims are provided. Also download SAML response is useful, when we need to map fields in cognito side.
Learn how to integrate AWS Single-Account Access with Microsoft Entra ID:
Reply URL, add this value:
Logout URL, add this value:
Use this namespace for fields: .
After all the fields assigned, from SAML Certificates card we need App Federation Metadata Url or Federation Metadata XML file. This URL is preferred.
At first, select None Selected , then select users , who can use this SSO, click Select
Contact the SignSpace team for more information:
