Use SAML For IDP Initated SSO From Your Microsoft Entra Apps to Abacus.AI

This document outlines the setup process for integrating SAML-based Single Sign-On (SSO) with Abacus.AI using Microsoft Entra ID (formerly Azure AD). It also includes best practices, security requirements, and answers to commonly asked enterprise questions.

• Overview
• Microsoft Entra SAML Setup Steps
• Security & Access Control
• Common Errors
• Troubleshooting and FAQ

Overview

SAML-based SSO allows organizations to securely authenticate users into Abacus.AI using their existing identity provider. This document focuses on setting up SAML integration with Microsoft Entra ID.

Important Notes:

• SAML authentication is only available for ChatLLM.
• We support both SP-initiated and IDP-initiated SAML authentication.
• The "Sign in with Microsoft" button will automatically use SAML if your workspace has SAML configured, otherwise it will use OAuth.

If you do not wish to use SAML-based SSO for Microsft Entra ID, please see the instructions here.

---

Microsoft Entra SAML Setup Steps

Creating a New Application in Microsoft Entra

1. Log in to the Microsoft Entra Admin Center.
2. Navigate to Enterprise Applications → Click + New application.
3. Choose Create your own application, give it a name (e.g., Abacus.AI), and select "Integrate any other application you don’t find in the gallery (Non-gallery)."

4. Click Create.

SAML Configuration

1. Under the new application, go to Single Sign-On → Select SAML.

2. Confirm the Abacus.AI organization you want to sign into:
   • We’ll need the subdomain of the org, and it’ll be difficult to change it once this is set up and running in production.

3. Set the following configuration:
   • Identifier (Entity ID): https://<subdomain>.abacus.ai
   • Reply URL (ACS URL): https://abacus.ai/api/samlSignIn
   • [Optional] Relay State: by default we land users on https://<subdomain>.abacus.ai
     • If your use cases are non-chat, you may want to set this as https://abacus.ai/app/projects, which lands on the projects list page.
     • Be careful that once you set an URI under https://abacus.ai/, we by default treat new users as platform user, who can have access to the projects and data.
     • We assume you will gate on who can be added as platform users to have more permissions.
   • Unique User Identifier and emailaddress: Set to user.userprincipalname. We use the email address to uniquely identify users, and userprincipalname is more consistent.

Note: Use the existing default values for all attributes. Do not modify any of them.

4. [Optional] Create other desired attributes or claims, such as a groups claim:
   • Use descriptive and unique group names (e.g., include words/characters to identify the group is for your organization).

5. Share the following information with Abacus.AI at connectors@abacus.ai to complete the setup:
   • Identifier (Entity ID) or your Abacus.AI organization.
   • Microsoft Entra Identifier (Issuer).
   • Raw SAML certificate or the Federation Metadata XML.

Testing the Integration

1. Use the Test single sign-on feature in Microsoft Entra to verify the configuration.
2. Alternatively, add the application to the My Apps list and click it to sign in.

---

Assigning Roles to Users and Groups

Create the following custom roles in Entra ID. (You should have a P1 or P2 licence to create custom roles).

1. abacusai_admin: For admin users.
2. abacusai_platform_user: For developers.
3. abacusai_chat_user: For users who only need to use the bots (no edit/change permissions).

After these roles are created, the next step is to assign them to the users or groups. Users who are assigned roles should be able to see apps in My Apps.

Note: Users will be created in Abacus.AI and roles will be updated in Abacus.AI dashboard when they try to login to Abacus.AI.

For enabling role and group management via SAML—rather than using our built-in groups and roles management—please contact us or email us at connectors@abacus.ai .

---

Security & Access Control

• Signed Responses: Signed SAML responses are required. Unsigned responses will be rejected.
• Session Expiration: Sessions expire after 24 hours of inactivity.
• Re-authentication: Re-authentication is required after logout.
• JIT Provisioning: New users are auto-created in Abacus.AI on first login based on SAML assertion attributes.

---

Common Errors

1. Invalid Audience URI (Entity ID mismatch):

• Error: "Audience URI is invalid" or "Invalid recipient."
• Cause: The audience or Entity ID in your IdP is incorrect.
• Fix: Match exactly with https://<subdomain>.abacus.ai. Watch for typos or slashes.

2. Missing or Mismatched Attributes:

• Error: "Invalid login" or user isn’t created via JIT provisioning.
• Cause: Required attributes like email, firstName, or lastName are missing.
• Fix: Ensure these are mapped and correctly named in IdP settings.

3. Invalid or Expired x509 Certificate:

• Error: "Signature validation failed" or "Untrusted certificate."
• Cause: Expired or mismatched certificate.
• Fix: Renew the certificate and share the updated one with support.

---

Troubleshooting and FAQ for the Microsoft Entra SAML connector

Debugging Tip:

• Use browser extensions like SAML-tracer to inspect assertions, detect missing attributes, or identify signature issues.

Can we restrict login to specific email domains?

• Yes, we currently restrict it to your registered org’s domain in the Abacus.AI platform

What is the landing page for users?

• By default, the landing page is https://<subdomain>.abacus.ai . If you need a different page, please contact us at support@abacus.ai.

How do I find my subdomain?

• It’s in the URL to access the chat app interface for your organization. If you're unsure, please contact support.

Can I test before going live?

• Yes. We recommend testing with a few users before rolling out org-wide.

What if my certificate expires?

• Update the certificate in your IdP (Microsoft Entra) and send the new x.509 cert to us at connectors@abacus.ai.

How can I disable or remove the integration?

• Remove the SAML application from your IdP or disconnect from your Abacus.AI organization settings. Reach out to support if you need assistance.

Where can I access user login logs?

• Admins can access authentication logs from your identity provider's dashboard (e.g., Microsoft Entra) to review user sign-ins, failures, and SAML assertions. For any issues traced back to Abacus.AI, please contact our support team.