Use SAML For IDP Initated SSO From Your Microsoft Entra Apps to Abacus.AI

This document outlines the setup process for integrating SAML-based Single Sign-On (SSO) with Abacus.AI using Microsoft Entra ID (formerly Azure AD). It also includes best practices, security requirements, and answers to commonly asked enterprise questions.

• Overview
• Microsoft Entra SAML Setup Steps
• Security & Access Control
• Common Errors
• Troubleshooting and FAQ

Overview

SAML-based SSO allows organizations to securely authenticate users into Abacus.AI using their existing identity provider. This document focuses on setting up SAML integration with Microsoft Entra ID.

Important Notes:
- Currently, we only support IDP-initiated SAML. This means you will log in from Microsoft Entra (formerly Azure AD). - Clicking the "Sign in with Microsoft" button triggers OAuth-based SSO instead of SAML.

If you do not wish to use SAML-based SSO for Microsft Entra ID, please see the instructions here.

Microsoft Entra SAML Setup Steps

Creating a New Application in Microsoft Entra

1. Log in to the Microsoft Entra Admin Center.
2. Navigate to Enterprise Applications → Click + New application.
3. Choose Create your own application, give it a name (e.g., Abacus.AI), and select "Integrate any other application you don’t find in the gallery (Non-gallery)."

4. Click Create.

SAML Configuration

We only support IDP(entra) initiated login now.

1. Under the new application, go to Single Sign-On → Select SAML.

2. Confirm the Abacus.AI organization you want to sign into:

   • We’ll need the subdomain of the org, and it’ll be difficult to change it once this is set up and running in production.
     
     

3. Set the following configuration:

   • Identifier (Entity ID): https://<subdomain>.abacus.ai
   • Reply URL (ACS URL): https://abacus.ai/api/samlSignIn
   • [Optional] Relay State: by default we land users on https://<subdomain>.abacus.ai
     • If your use cases are non-chat, you may want to set this as https://abacus.ai/app/projects, which lands on the projects list page.
     • Be careful that once you set an URI under https://abacus.ai/, we by default treat new users as platform user, who can have access to the projects and data.
     • We assume you will gate on who can be added as platform users to have more permissions.
   • Unique User Identifier: Set to user.mail. We use email to uniquely identify users.

4. [Optional] Create other desired attributes or claims, such as a groups claim:

   • Use descriptive and unique group names (e.g., include words/characters to identify the group is for your organization).
     
     

5. Share the following information with Abacus.AI at connectors@abacus.ai to complete the setup:

   • Identifier (Entity ID) or your Abacus.AI organization.
   • Microsoft Entra Identifier (Issuer).
   • Raw SAML certificate or the Federation Metadata XML.

Testing the Integration

1. Use the Test single sign-on feature in Microsoft Entra to verify the configuration.
2. Alternatively, add the application to the My Apps list and click it to sign in.

Security & Access Control

• Signed Responses: Signed SAML responses are required. Unsigned responses will be rejected.
• Session Expiration: Sessions expire after 24 hours of inactivity.
• Re-authentication: Re-authentication is required after logout.
• JIT Provisioning: New users are auto-created in Abacus.AI on first login based on SAML assertion attributes.

Common Errors

1. Invalid Audience URI (Entity ID mismatch):
   - Error: "Audience URI is invalid" or "Invalid recipient."
   - Cause: The audience or Entity ID in your IdP is incorrect.
   - Fix: Match exactly with https://<subdomain>.abacus.ai. Watch for typos or slashes.

2. Missing or Mismatched Attributes:
   - Error: "Invalid login" or user isn’t created via JIT provisioning.
   - Cause: Required attributes like email, firstName, or lastName are missing.
   - Fix: Ensure these are mapped and correctly named in IdP settings.

3. Invalid or Expired x509 Certificate:
   - Error: "Signature validation failed" or "Untrusted certificate."
   - Cause: Expired or mismatched certificate.
   - Fix: Renew the certificate and share the updated one with support.

Troubleshooting and FAQ for the Microsoft Entra SAML connector

Debugging Tip:
- Use browser extensions like SAML-tracer to inspect assertions, detect missing attributes, or identify signature issues.

Can we restrict login to specific email domains?

• Yes, we currently restrict it to your registered org’s domain in the Abacus.AI platform

What is the landing page for users?

• By default, the landing page is https://<subdomain>.abacus.ai . If you need a different page, please contact us at support@abacus.ai.

How do I find my subdomain?

• It’s in the URL to access the chat app interface for your organization. If you're unsure, please contact support.

Can I test before going live?

• Yes. We recommend testing with a few users before rolling out org-wide. And please test from microsoft entra, not the "sign in with Microsoft" button from Abacus.AI.

What if my certificate expires?

• Update the certificate in your IdP (Microsoft Entra) and send the new x.509 cert to us at connectors@abacus.ai.

How can I disable or remove the integration?

• Remove the SAML application from your IdP or disconnect from your Abacus.AI organization settings. Reach out to support if you need assistance.

Where can I access user login logs?

• Admins can access authentication logs from your identity provider's dashboard (e.g., Microsoft Entra) to review user sign-ins, failures, and SAML assertions. For any issues traced back to Abacus.AI, please contact our support team.