# SAML App Registration in EntraID ## How to setup an App Registration for SAML {% hint style="info" %} This page describes how to create an App Registration in Microsoft Entra ID to be used as a SAML Identity Provider in WEM. Microsoft does make changes to their approaches, so we can not guarantee that what we describe here will remain exactly the same. But it should help... {% endhint %}

1. Go to (you need to have admin permissions). 2. In the sidebar menu, find the **Applications** and within that option, go to **Enterprise Applications**. 3. Click on **New Application**. 4. Click on **Create your own application**. 5. Add a name, select "*Integrate any other application you don't find in the gallery (Non-gallery)*" and click Create. 6. Wait until the app is created. ## Enterprise Application Overview

### Assign users In the Enterprise Application, you assign users and groups that are allowed to login using this specific Application (SSO in your WEM portal). Depending on your Active Directory / Entra ID Plan, you can only use specific users (the basic plans). To assign groups, you need the more expensive plans (and users with appropriate licenses). The Business Standard license plan allows you to add users only. So, select users (and groups if possible) and click the **Assign** button at the bottom, so when you return to the overview of Users and Groups, you see the users and groups.

### Set up Single Sign On with SAML Back on the overview, click 2. Set up Single Sign On and select the SAML option.

#### 1. Basic SAML Configuration At 1. Basic Saml Configuration, click edit.\ Here you need to enter the **Identifier** (Entity ID) to identify your application to Entra ID, and this will also be part of the settings in WEM. This value must be a valid URI format. Microsoft Entra ID supports the `urn:` prefix as in the example, and we often use a guid with a domain - for example, you can use the Application ID from the overview and add your domain: `urn:{Application-Id}.wem.io` Valid Entity ID values should have a prefix, most common options are `urn:`, `spn:` and `https://`, followed by something that can look like a hostname (portalname.yourdomain.ext), a GUID (`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`) or a combination (`urn:portalname.wem.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`) The second required item is the **Reply URL**. This will hold the URL(s) from your WEM portal that will receive the authentication token. To be able to correctly fill this Reply URL, you should already have created the SAML provider element in your WEM Project - or you can enter the values here now and make sure that you use the same name in WEM - the Reply Url for any WEM portal is in the following format: `https://{portal-hostname}/auth/saml/{saml-name you set in WEM}` You should already have a staging hostname and perhaps a live hostname. You can enter both in the same App Registration here, so both staging and live portals use the same App Registration and thus cater for the same set of users/groups. \ \&#xNAN;*If you want to have different sets of users/groups for staging and for live, you must create 2 different App Registrations!*

**Hit the save button** and close the panel. #### 2. Attributes and Claims In this part, Attributes and Claims, you provide the fields that hold the values for a specific Identity that will be provided to your WEM application. By default you have the Unique User Identifier (usually the user principal name), email address and name-attributes. Here you can add other fields as well or change the existing claims to use other fields from the Identity. #### 3. SAML Certificates This is where you make the settings for the Token Signing and Verification Certificates. You do not need to change anything here. The default setting for Verification is **not** required - if this is changed, you also need to change the corresponding setting in your WEM SAML settings. The **important** part in this section, is the **App Federation Metadata Url**. It looks something like \ `https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={app-id}` You should copy this url, because with this url you can quickly set up the SAML element in your WEM Project, AND this url is required for the option to "**Fetch certificates at Runtime**" - which is a necessary option when using Microsoft Entra ID or Azure AD! #### 4. Setup {your app SSO} In this part, you will see the Login Url, Microsoft Entra Identifier and Logout Url that you can use in your SAML Element settings - BUT, if you use the **App Federation Metadata Url** to setup your SAML element, that will automatically set these items correctly. This should provide all you need to know to set up the SAML within Microsoft Entry ID, or at least provide insight into the necessary actions and settings. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.wem.io/platform/wemmodeler/services-and-integration/authentication-providers/saml-2.0/saml-app-registration-in-entraid.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.