# SSO with Microsoft Entra ID
### Overview
[Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id), formerly **Azure Active Directory (Azure AD)**, is a cloud-based identity and access management service. It allows organizations to manage users and groups, facilitating secure access to internal and external resources. Microsoft Entra ID support SAML 2.0.
This guide outlines the steps to configure SSO using **Microsoft Entra ID**.
{% hint style="info" %}
You must be an **Account Owner** or **Administrator** on ComplyCube and have **administrative permission** on Entra ID to set up SSO.
{% endhint %}
{% hint style="info" %}
**ComplyCube** does not send an email confirmation when the SSO setup is complete.
{% endhint %}
### Setup steps
{% stepper %}
{% step %}
#### Create an Azure account
The first step is to [create an account](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) with Microsoft Azure. When this guide was written, Microsoft Entra ID offered a **free trial account** to assist with the initial setup.
You can follow their instructions to register an account.
{% endstep %}
{% step %}
#### Register an application
1. Once your account is set up, you can go to the [Azure portal](https://portal.azure.com/) and log in with your account.
2. Search for "Microsoft Entra ID" on the top navigation panel, and select the service.
3. Go to **Enterprise applications -> New application**.
4. Select **Create your own application**, name your application "ComplyCube", select the **Non-gallery** option, and click **Create**.
{% endstep %}
{% step %}
#### Configure SAML-Based SSO
Select your newly created application under **Enterprise applications**.
Then, under **Manage**, in the application's left navigation menu, select **Single sign-on** and choose **SAML** as the method.
Now, set up the **Basic SAML Configuration** using values from your ComplyCube [SSO settings page](https://portal.complycube.com/settings/sso):
* **Identifier (Entity ID)**: An identifier for the application. Use the value of **Audience** from ComplyCube.
* **Reply URL (Assertion Consumer Service URL)**: The location where Microsoft Entra ID sends SAML responses. Use the **ACS Consumer URL** from ComplyCube.
* **Sign-on URL**: URL where users will sign in. Use the **ACS Consumer URL** from ComplyCube.
The next step is to configure your **Attributes & Claims** settings. As shown in the image below, please ensure the following **Attribute Statements** are mapped in Microsoft Entra ID - '***firstName***', '***lastName***', and '***email***', as they will be used to update the user profile details in ComplyCube, on every login.
Click **Edit** on **SAML Certificate** and download the **Certificate (Base64)**.
**Edit** the **Token signing certificate** and ensure the **Signing Option** is "*Sign SAML Response and assertion*".
{% endstep %}
{% step %}
#### Update SSO settings in ComplyCube
Now you can go to your ComplyCube [SSO settings page](https://portal.complycube.com/settings/sso), update the **Sign-In URL,** and upload your **Signing Certificate** (i.e., X.509 certificate).
You can find the **Sign-In URL** in the **Single Sign-On** section of your **Application** in Microsoft Entra ID.
{% endstep %}
{% step %}
#### User and Group Assignments
Once the application is added and SSO is set up, the next step is to assign Microsoft Entra ID **users** or **groups** to the application. We recommend that assignments be made at a group level.
Under **Users and Groups**, select **Add user/group** to add the users or groups that should have access to this application in Microsoft Entra ID.
Once the assignment is complete, you can log in to the ComplyCube Web Portal using SSO through Microsoft Entra ID.
{% endstep %}
{% endstepper %}
