Setting Up Microsoft Entra (Azure AD)

This document outlines the steps required to set up Microsoft Entra (formerly Azure AD) SSO integration with StepSecurity.

Setup Instructions

Step 1: Create a New Enterprise Application

• Navigate to your Microsoft Entra Admin Portal.

• Create a new Enterprise Application.

• Name the application StepSecurity.

Step 2: Configure Single Sign-On

• After creating the application, go to the Single Sign-On section.

• Select SAML as the SSO method.

Step 3: Provide SAML Configuration

• In the SAML Basic Configuration, enter the following values:

• Leave all other properties with their default values unless specified otherwise.

• (Optional) For Idp initiated login we can add the Default RelayState:

identity_provider=<IDP_NAME_IN_COGNITO>&client_id=<COGNITO_CLIENT_ID>&redirect_uri=https%3A%2F%2F.stepsecurity.io%2Fauth%2Fcognito%2Fcallback&response_type=code&scope=email+openid+phone+profile

Step 4 Add a Group Claim

Update Attributes & Claims to pass group information in the SAML assertion.

• Open Attributes & Claims → Add a group claim.

• Under Which groups select Groups assigned to the application.

• Set Source attribute to Cloud‑only group display names.

• Expand Advanced options.

  • (Optional) You may filter groups if you need to limit which ones are emitted.

• Enable Customize the name of the group claim and set Name to Groups.

• Save.

Step 5: Exchange metadata and (optionally) configure IdP‑initiated access

• Download the IdP metadata file from the Entra SAML page and share it with StepSecurity.

• (Optional) For IdP‑initiated login to the StepSecurity Console:

  • Contact StepSecurity to obtain your RelayState value (or construct it using the template above).

  • In the Entra portal, paste that value into Relay State (Optional) under Basic SAML Configuration and Save.