Use SAML For IDP Initated SSO From Your Microsoft Entra Apps to Abacus.AI

This document outlines the setup process for integrating SAML-based Single Sign-On (SSO) with Abacus.AI using Microsoft Entra ID (formerly Azure AD). It also includes best practices, security requirements, and answers to commonly asked enterprise questions.

Overview

SAML-based SSO allows organizations to securely authenticate users into Abacus.AI using their existing identity provider. This document focuses on setting up SAML integration with Microsoft Entra ID.

Important Notes:
- Currently, we only support IDP-initiated SAML. This means you will log in from Microsoft Entra (formerly Azure AD). - Clicking the "Sign in with Microsoft" button triggers OAuth-based SSO instead of SAML.

If you do not wish to use SAML-based SSO for Microsft Entra ID, please see the instructions here.


Microsoft Entra SAML Setup Steps

Creating a New Application in Microsoft Entra

  1. Log in to the Microsoft Entra Admin Center.
  2. Navigate to Enterprise Applications → Click + New application.
  3. Choose Create your own application, give it a name (e.g., Abacus.AI), and select "Integrate any other application you don’t find in the gallery (Non-gallery)."

Entra SAML Create app

Entra SAML Create app integrate

  1. Click Create.

SAML Configuration

We only support IDP(entra) initiated login now.

  1. Under the new application, go to Single Sign-On → Select SAML.

Entra Select SAML

  1. Confirm the Abacus.AI organization you want to sign into:

    • We’ll need the subdomain of the org, and it’ll be difficult to change it once this is set up and running in production.

  2. Set the following configuration:

    • Identifier (Entity ID): https://<subdomain>.abacus.ai
    • Reply URL (ACS URL): https://abacus.ai/api/samlSignIn
    • [Optional] Relay State: by default we land users on https://<subdomain>.abacus.ai
      • If your use cases are non-chat, you may want to set this as https://abacus.ai/app/projects, which lands on the projects list page.
      • Be careful that once you set an URI under https://abacus.ai/, we by default treat new users as platform user, who can have access to the projects and data.
      • We assume you will gate on who can be added as platform users to have more permissions.
    • Unique User Identifier: Set to user.mail. We use email to uniquely identify users.

Entra SAML Basic Setting

  1. [Optional] Create other desired attributes or claims, such as a groups claim:

    • Use descriptive and unique group names (e.g., include words/characters to identify the group is for your organization).

  2. Share the following information with Abacus.AI at connectors@abacus.ai to complete the setup:

    • Identifier (Entity ID) or your Abacus.AI organization.
    • Microsoft Entra Identifier (Issuer).
    • Raw SAML certificate or the Federation Metadata XML.

Entra SAML Cert Issuer

Testing the Integration

  1. Use the Test single sign-on feature in Microsoft Entra to verify the configuration.
  2. Alternatively, add the application to the My Apps list and click it to sign in.

Security & Access Control


Common Errors

  1. Invalid Audience URI (Entity ID mismatch):
    - Error: "Audience URI is invalid" or "Invalid recipient."
    - Cause: The audience or Entity ID in your IdP is incorrect.
    - Fix: Match exactly with https://<subdomain>.abacus.ai. Watch for typos or slashes.

  2. Missing or Mismatched Attributes:
    - Error: "Invalid login" or user isn’t created via JIT provisioning.
    - Cause: Required attributes like email, firstName, or lastName are missing.
    - Fix: Ensure these are mapped and correctly named in IdP settings.

  3. Invalid or Expired x509 Certificate:
    - Error: "Signature validation failed" or "Untrusted certificate."
    - Cause: Expired or mismatched certificate.
    - Fix: Renew the certificate and share the updated one with support.


Troubleshooting and FAQ for the Microsoft Entra SAML connector

Debugging Tip:
- Use browser extensions like SAML-tracer to inspect assertions, detect missing attributes, or identify signature issues.

Can we restrict login to specific email domains?

What is the landing page for users?

How do I find my subdomain?

Can I test before going live?

What if my certificate expires?

How can I disable or remove the integration?

Where can I access user login logs?