Skip to main content

✅ Setting up Delegated Authentication with SAML on Microsoft Azure

Before setting up the installer, you have to configure Microsoft Entra ID.


Set up Microsoft Entra ID


With an account with enough rights, go to : Enterprise Applications


  1. Click on New Application
  2. Click on Create your own application on the top left corner
  3. Choose a name for it, and select Integrate any other application you don't find in the gallery
  4. Click on "Create"
  5. Select Set up single sign on
  6. Select SAML
  7. Edit on Basic SAML Configuration
  8. In Identifier , add the following URL : https://synapse_fqdn/_synapse/client/saml2/metadata.xml
  9. Remove the default URL
  10. In Reply URL , add the following URL : https://synapse_fqdn/_synapse/client/saml2/authn_response
  11. Click on Save


  1. Make a note of the App Federation Metadata Url under SAML Certificates as this will be required in a later step.
  2. Edit on Attributes & Claims
  3. Remove all defaults for additional claims
  4. Click on Add new claim to add the following (suggested) claims (the UID will be used as the MXID):
    • Name: uid , Transformation : ExtractMailPrefix , Parameter 1 : user.userprincipalname
    • Name: email , Source attribute : user.mail
    • Name: displayName , Source attribute : user.displayname
  5. Click on Save


    1. In the application overview screen select Users and Groups and add groups and users which may have access to element


Configure the installer


Add a SAML provider in the 'Synapse' configuration after enabling Delegated Auth and set the following (suggested) fields in the installer:


  • Allow Unknown Attributes .
    Checked
  • Under Attribute Map, select the Identifier -.
    Select URN:Oasis:Names:TC:SAML:2.0:Attrname Format:Basic as the Identifier

    • Under Mapping add.
      Set the following (suggested) mappings:
      • From: Primary Email To: email
      • From: First Name To: firstname
      • From: Last Name To: lastname

  • Entity.
    • Under Entity,Description.
      enter
      • a
    • description, the Entity ID. (fromFrom Azure)
      • and
    • aName.
      name.

    • Under User Mapping Provider select.
      Set the following:
      • MXID Mapping: Dotreplace
      • MXID Source Attribute: uid
    • Under Metadata URL, add.
      Add the App Federation Metadata URL from Azure.

    When clients connect, along with any existing authentication methods still enabled, they should now also have an option to Continue with SAML:

    • Back to top