Setting up Delegated Authentication with SAML on Microsoft Azure

~~Before setting up the installer, you have to configure Microsoft Entra ID.~~

Set up Microsoft Entra ID

~~With an account with enough rights, go to :~~ Enterprise Applications

~~Click on~~ New Application

~~Click on~~ Create your own application ~~on the top left corner~~

~~Choose a name for it, and select~~ Integrate any other application you don't find in the gallery

~~Click on "Create"~~

~~Select~~ Set up single sign on

~~Select~~ SAML

Edit on Basic SAML Configuration

In Identifier ~~, add the following URL :~~ https://<synapse fqdn>/_synapse/client/saml2/metadata.xml

~~Remove the default URL~~

In Reply URL ~~, add the following URL :~~ https://<synapse fqdn>/_synapse/client/saml2/authn_response

~~Click on~~ Save

ems-docs.element.io/link/691#bkmrk-saml-on-microsoft-az-1

~~Make a note of the~~ App Federation Metadata Url ~~under~~ SAML Certificates ~~as this will be required in a later step.~~

Edit on Attributes & Claims

~~Remove all defaults for additional claims~~

~~Click on~~ Add new claim ~~to add the following (suggested) claims (the UID will be used as the MXID):~~
- ~~Name:~~ uid ~~, Transformation :~~ ExtractMailPrefix ~~, Parameter 1 :~~ user.userprincipalname
- ~~Name:~~ email ~~, Source attribute :~~ user.mail
- ~~Name:~~ displayName ~~, Source attribute :~~ user.displayname

~~Click on~~ Save

~~In the application overview screen select~~ Users and Groups ~~and add groups and users which may have access to element~~

Configure the installer

~~Add a SAML provider in the 'Synapse' configuration after enabling~~ Delegated Auth ~~and set the following (suggested) fields in the installer:~~

Allow Unknown Attributes

~~Under~~ Attribute Map~~, select the~~ Identifier - URN:Oasis:Names:TC:SAML:2.0:Attrname Format:Basic

~~Under~~ Mapping ~~add the following (suggested) mappings:~~
- ~~From:~~ Primary Email ~~To:~~ email
- ~~From:~~ First Name ~~To:~~ firstname
- ~~From:~~ Last Name ~~To:~~ lastname

~~Under~~ Entity~~, enter a~~ description~~, the~~ Entity ID ~~(from Azure) and a~~ name.

~~Under~~ User Mapping Provider ~~select the following:~~
- MXID Mapping: Dotreplace
- MXID Source Attribute: uid

~~Under~~ Metadata URL~~, add the~~ App Federation Metadata URL ~~from Azure.~~

~~When clients connect, along with any existing authentication methods still enabled, they should now also have an option to~~ Continue with SAML:

Back to top