How to Create and Configure an SSO Application

  • Updated

Overview

This article will guide you through configuring Single Sign-On (SSO) between your Microsoft Azure Active Directory tenant and our platform. Once configured, your users will authenticate through your identity provider and access Neostella without a separate login.


We use SAML 2.0 for SSO. While this guide covers Microsoft Azure AD, the same configuration applies to other identity providers (Okta, OneLogin, PingOne, etc.) by using their own SAML documentation.

 

Before You Begin

Before starting, please confirm whether:

  • You have administrator access to your Microsoft Azure portal.
  • You have a Neostella contact available to receive the App Federation Metadata URL when you reach Step 5.
     

Step 1: Create a New SSO Application

If your organization is connecting to us for the first time, you’ll need to create a new Enterprise Application in Azure AD. Here’s how:

  1. Sign in to your Microsoft Azure portal.
  2. Click Manage and go to Enterprise Applications.
  3. Select + New application.
  4. Click + Create your own application.
  5. Enter a custom name for your application.
  6. Select Integrate any other application you don’t find in the gallery (Non-gallery).
  7. Click Create.

Once created, the application will appear under All Applications and you can proceed to Step 2.

 

Step 2: Configure the Application for SAML

Now that your application is created, follow these steps to complete the initial setup:

  1. Go to Home > Enterprise Applications.
  2. Locate the application in the list and click on it.
  3. Select Set up single sign-on.
  4. 4. Select the SAML option.

This opens the SAML-based sign-on configuration page. Steps 3, 4, and 5 each correspond to a section within this page.

 

Step 3: Basic SAML Configuration

Now that you're in the SAML-based sign-on configuration page, you'll need the following values for the required fields. 

Enter our values exactly as shown below, do not modify capitalization, spacing, or punctuation:

Field Value
Identifier (Entity ID) urn:amazon:cognito:sp:us-east-1_RjpxBP8w7
Reply URL (Assertion Consumer Service URL) https://us-east-1rjpxbp8w7.auth.us-east-1.amazoncognito.com/saml2/idpresponse

To continue, complete the following steps:

  1. Click the Edit button in the Basic SAML Configuration section.
  2. Add the identifier:
    1. Click Add Identifier.
    2. Enter the Identifier (Entity ID)
    3. Check the Default box.
  3. Add the Reply URL:
    1. Click Add Reply URL.
    2. Enter the Reply URL (Asserion Consumer Service URL).
    3. Check both the Index and Default boxes.
  4. Click Save.

 

Step 4: Configure Attributes & Claims

Required Claim — Unique User Identifier (Name ID)

This section defines the user identity data that your Azure AD will pass to us during authentication. Configure the following:

  1. In the Attributes & Claims section, click Edit.
  2. Click on the Unique User Identifier (Name ID) claim.
  3. Set Name identifier format to Unspecified.
  4. Set Source attribute to user.mail.
  5. Save the claim.

Additional Claims

The following claims must be present. These are typically set by default;  verify they match the expected values below:

Claim Name Source Attribute
Unique User Identifier (Name ID) user.mail
EmailAddress

user.mail


 
GivenName user.givenname
Name user.userprincipalname
Surname user.surname

 

Step 5: Share SAML Certificates

SAML certificates establish the secure trust between your Azure AD tenant and the platform. The easiest method is to share the App Federation Metadata URL: it updates automatically when certificates rotate, so you won’t need to repeat this step at renewal.

  1. In the SAML Certificates section, locate the App Federation Metadata URL field.
  2. Copy the URL.
  3. Send the URL to your Neostella contact or email it to help@neostella.com 

 

Step 6: Notify Neostella

Once you’ve shared the metadata URL, let us know so we can complete the connection from our side. Include the following:

  • Your organization name and primary domain.
  • Confirmation that Steps 1–5 are complete.
  • The App Federation Metadata URL (if not already sent in Step 5).
  • Any specific user groups or access scope you want applied.

We’ll confirm once SSO is active and send you instructions for testing the login flow with your users.

 

Troubleshooting

If SSO is not working after configuration, verify the following:

  • The Entity ID and Reply URL in Azure AD match the values in this guide exactly (no trailing slashes, no case differences).
  • The Name ID is mapped to user.mail, not user.userprincipalname or another attribute.
  • All five required claims (Name ID, EmailAddress, GivenName, Name, Surname) are present and mapped correctly.
  • The App Federation Metadata URL was sent to us and we have confirmed the connection is configured on our end.

If you’re still running into issues, send us a screenshot of your SAML configuration and a short description of what you’re seeing to: help@neostella.com