Skip to main content
All CollectionsConfiguring your settingsSingle sign-on
Setting up single sign-on with Microsoft Entra ID (SAML)
Setting up single sign-on with Microsoft Entra ID (SAML)
Samantha Szadovszky avatar
Written by Samantha Szadovszky
Updated over 11 months ago

This guide is intended for IT technicians requiring further assistance with the initial set up in Microsoft Entra ID (SAML). If you require a Microsoft Entra ID set up, please refer to this guide.

You can refer to the in-platform instructions for setting up single sign-on using SAML in Plexus. This guide will specifically focus on the steps to follow whilst you are logged into Microsoft Entra ID as an administrator.


Creating an application


Log into the Microsoft Entra Admin Centre as at least a Cloud Application Administrator and integrate Plexus as a “Non-gallery” application. Please consult Microsoft’s Entra ID application management documentation for guidance on this step.


Configure your SAML settings


While logged in to your organisation’s Microsoft Entra Admin Centre as at least a Cloud Application Administrator, enable single sign-on for the Plexus application you created in the previous step and select SAML as your SSO method. Please consult Microsoft’s Entra ID Enable single sign-on for an enterprise application documentation for guidance on this step.


Edit Basic SAML configuration


Follow the instructions in this guide to Copy the following fields from the Plexus Single sign-on tab, into the Microsoft Entra ID Basic SAML Configuration section. The relevant fields to copy from Plexus are:

  • Single sign-on URL → Reply URL (Assertion Consumer Service URL)

  • Audience URI (SP Entity ID) → Identifier (Entity ID)

As in the previous step, please consult Microsoft’s Entra ID Enable single sign-on for an enterprise application documentation for guidance on this step.

Leave all the other optional fields blank, then click Save.


Mapping the attributes


On the same SAML page, review the settings under Attributes & Claims.

You'll then need to map the app attributes available in Plexus to the Source attributes on this page. These Names are provided in Plexus, and the Source attributes are the Microsoft attributes to match with, as follows:

  • The Name first_name field will map to the Source attribute user.givenname

  • The Name last_name field will map to the Source Attribute user.surname

  • The Name email field will map to the Source Attribute user.mail

  • The Name name field will map to the Transformation field, Join (user.givenname, “ “, user.surname)


Click to Save your changes. For additional guidance on this step, please consult Microsoft’s Entra ID Customize SAML token claims documentation.


Finalising the configuration


Follow these instructions for filling out the below fields from your Microsoft Entra ID SAML page into the Plexus SAML configuration page to finalise your set up:

  1. On the Microsoft Entra ID SAML page, copy the value from the Login URL field, and paste to the Identity provider single sign-on URL field in the Plexus Single sign-on configuration page.

  2. On the Microsoft Entra ID SAML page, Click on Download Certificate (Base64) to generate your signing certificate as a .cer file. Upload this file into the allocated area to Upload certificate in the Plexus SAML configuration page as highlighted in this guide.

Click Save to finalise your changes.


Enforcing a user's location and permissions


Plexus currently offers user authentication, providing users access to Plexus using their single sign-on credentials. The ability to enforce a user's unit (their location) and role (their permissions) is managed in Plexus and is not facilitated by single sign-on.

Once single sign-on is configured, users can sign straight into the platform and will be given access to the default unit with the default role. This will allow your users to access the platform and use the apps straight away.

The designated platform admins will receive an email notification to assign the new users to their correct units and provision the correct roles. Any documents uploaded during this time will move with the user to their correct unit.

Need further assistance? Reach out to [email protected] for further guidance.

Did this answer your question?