Microsoft Entra ID and SAML

This document covers step two of the Single sign-on (SSO) setup process, and shouldn't be completed independently.

1. Log in to the Microsoft Azure portal, and click Microsoft Entra ID.

   

2. At the top of the Overview page, click the Add menu, and select Enterprise application.

   

3. At the top of Browse Microsoft Entra Gallery, click Create your own application.

   

4. Enter a name for the application, such as Matillion, and select the Integrate any other application you don't find in the gallery (Non-gallery) radio button.

   

5. Expand the Manage section on the left, and click Single sign-on.

   

6. Click the SAML tile to select SAML as the single sign-on method.

   

7. Click the Edit button on the Basic SAML Configuration card.

   

8. Enter the following, and click Save:

   • Identifier: urn:auth0:matillion:[domain]-saml replacing [domain] with your primary email domain, and converting any special characters to dashes. For instance example.com would become urn:auth0:matillion:example-com-saml.
   • Reply URL: https://id.matillion.com/login/callback.
   • Sign on URL: https://app.matillion.com.

   

   Note

   The Relay State will be provided by Matillion later, and will be added here before testing. No other configuration should be changed at that stage.

9. Click the Edit button on the User Attributes & Claims card.

   

10. Under Claim name, click anywhere in the Unique User Identifier (Name ID) row, except the … menu, to edit it.

    

11. Change the claim to something unique and immutable for each user, such as user.employeeid, and click Save.

    

    Warning

    The default value, user.principalname, is typically an email address and shouldn't be used. The value selected here is used internally by the identity provider (as the sub claim) to uniquely identify users. It's never visible in either system, and regardless of this setting, users will always sign in using their email address.

    Leaving the default value in place can cause issues if it changes in the future. In that case, Matillion would treat the user as a new account, resulting in the loss of the original user profile.

    Any value that is both unique to each user and guaranteed not to change can be used. Because each setup is different, Matillion cannot provide guidance on creating a unique claim in Entra ID. However, the exact value being sent can be verified during the testing phase, before the configuration is activated and affects user logins.

12. At the top of Attributes & Claims, click Add new claim.

    

13. Set the Name of the claim to email_verified, type the word "true" in the Source attribute box, and then select true from the drop-down menu, and then click Save. This ensures that users aren't prompted to verify their email address with Matillion.

    

14. Click the browser back button twice to return to the Single sign-on page.

15. Click Download on the Certificate (Base64) row of the SAML Certificates card, and save it somewhere you can refer to later.

    

16. Copy and make a note of the Login URL from the Set up [Application name] card.

    

17. Select User and groups from the menu on the left, and at the top, click Add user/group.

    

18. Click None selected in the Users and groups section.

    

19. Search for and add the users and groups that you want to allow to sign in to Matillion.

    

20. Continue the steps in Single sign-on (SSO) setup.

Got feedback or spotted something we can improve?

We'd love to hear from you. Join the conversation in the Documentation forum!