Configure SAML with Azure AD

This page explains how to integrate Microsoft Entra ID (Azure AD) as a SAML Identity Provider to authenticate your users on Reemo.

Important

This feature is available starting from the Enterprise plan.

Note

Depending on your deployment mode, SAML can be enabled at the instance level (Private Cloud / On-Prem) or at the organization level (Public Cloud).
Screenshots and labels may vary slightly depending on your interface version.

Configure SAML in Reemo

Case 1: Instance level (Private Cloud / On-Prem)
Configure SAML in the instance’s Admin Area, under the Connectors menu.
Configure SAML in the instance Admin Area

Access Connectors in the instance Admin Area.

Case 2: Organization level (Public Cloud)
From your Organization > Connectors, configure SAML for this organization.
Configure SAML at the organization level

Configure SAML in Organization > Connectors.

Create the SAML Connector in Reemo

  1. Create a new Connector of type SAML Connector.

  2. Fill in the basic fields:

  • Friendly Name: name displayed to your users (e.g., AzureAD).

  • Issuer / App URI ID: reemo.

  • The other fields (Entry Point, Certificate) will be completed after configuring Azure.

Creating a SAML connector in Reemo

Fill in the basic fields of the SAML connector.


SAML connector creation form

Enter the friendly name and the Issuer (reemo), then save.

3) Validate to generate the connector’s Callback URL. You will need this in Azure (Single sign-on URL).

Retrieving the connector Callback URL

Copy the Callback URL generated by the SAML connector.

Configure the SAML Application in Azure AD

  1. Log in to the Azure portal: https://portal.azure.com

  2. Create a new application: App Services > Manage Azure Active Directory > Enterprise applications > New application.

  3. Click Create your own application.

    • Give it a name (e.g., Reemo).

    • Choose Integrate any other application you don’t find in the gallery (Non-gallery).

    • Click Create.

  4. Open the application and go to Single sign-on > select SAML.

Select SAML as the Single Sign-On method

Choose SAML as the Single Sign-On method.

  1. In the Set up [app name] section:

  • Copy the Login URL and paste it into IdP Entry Point in Reemo.

Azure AD Login URL

Copy the Login URL into the IdP Entry Point field.

  1. In the SAML Certificates section:

  • Download the federationmetadata.xml file from the App Federation Metadata URL.

Downloading the federationmetadata.xml file

Download the federationmetadata.xml file.

  1. Retrieve the first X.509 certificate from the metadata file.

Extracting the X.509 certificate from metadata

Extract the X.509 certificate from the metadata file.

  1. Paste it into the IdP Certificate field of the Reemo connector.

Paste the X.509 certificate into the Reemo connector

Paste the X.509 certificate into the Reemo connector.

Configure Attributes (Attribute Statements)

Map the attributes so that Reemo receives the correct information from Azure:

  • Usernamename

  • Emailemailaddress

  • Full Namedisplayname

Configure the Identifier and Reply URL

To finish the configuration, Azure requires setting up the Identifier and Reply URL (Assertion Consumer Service URL):

  1. In the Basic SAML Configuration section, click Edit.

Edit the Basic SAML configuration

Click Edit to modify the Basic SAML configuration.

  1. Add an Identifier: use the value defined in Reemo (reemo).

  2. Add a Reply URL: use the Callback URL generated by the connector in Reemo.

Add an Identifier and Reply URL

Add an Identifier and a Reply URL with the values from Reemo.

  1. Click Save, then use the Test button to verify the configuration.

Note

The connector’s Callback URL is visible in the connector list, under the Configuration column.

Provision Users

There are two approaches to grant SSO access to users.

Approach A: Explicit provisioning from the organization
Use the Provision SAML User button to add users by entering their email.
Provision SAML User button in the organization

Provision SAML users directly in the organization.

Popup to add SAML users by email

Add users by email through the provisioning popup.

Approach B: Provisioning via SCIM (automatic)
You can automate user account creation with SCIM:

  1. In the Azure portal, open the Reemo application.

  2. Go to Provisioning > Get Started.

  3. Set Provisioning Mode to Automatic.

  4. Fill in:

    • Tenant URL: SCIM API value provided by Reemo (in the connector list).

    • Secret Token: SCIM Token value provided by Reemo.

  5. Click Test Connection, then Save.

SCIM configuration in Azure

Automate user provisioning with SCIM.

You should now be able to provision users from Azure AD using the Azure provisioning interface.

Sign in via SAML

Once the connector is active and users are provisioned (or JIT enabled), they can sign in:

  • General portal access (Private Cloud / On-Prem):

    https://[portal_url]/

  • Direct access to the organization (Public Cloud):

    https://[portal_url]/login/[organization_shortname]
SSO authentication screen

Select SAML and click Next to be redirected to Azure AD.