Configure SSO with Entra ID

  • Updated on May 25, 2025
  • 3 minute(s) read
Prev Next
3rd party identity provider applications
This use case example is provided for your benefit, but we don't take responsibility for the screenshots, content, and functionality of these 3rd party applications.

Prerequisites

  • Must have an Azure Enterprise account.
  • Microsoft Entra ID must be configured.
  • Must have the necessary permissions to create the application.

Step 1 - Create the application in Microsoft Azure

  1. In Microsoft Azure, go to Enterprise Applications > New application.New Application tab in Enterprise applications
  2. Click Create your own application.Create your own application button
  3. Enter a name for the application, select Integrate any other application you don't find in the gallery, and click Create.click Integrate any other application you don't find in the gallery button
  4. Click Get started under 2. Set up single sign on.Click Set up single sign on
  5. Select SAML as the single sign-on method.Select SAML as SSO method

Step 2 - Import data from ControlUp into Entra ID

  1. In the ControlUp SAML settings page, click the Export icon and save the metadata file.Click the Export icon
  2. In Entra ID, click Upload metadata file.Click Upload Metadata file
  3. Select the file you exported from ControlUp and click Add.Click Add to add the metadata file
  4. The Identifier and Reply URL fields are automatically filled out. Click Save.Click Save to save configuration
Note for single logout (SLO)

If you want to use SLO, you must manually fill out an additional field in Entra ID. Copy the IdP Logout URL from the ControlUp SAML settings page and paste it into the Logout Url field in Entra ID.

Step 3 - Import data from Entra ID into ControlUp

  1. In Entra ID, download the Federation Metadata XML file.Download Federation Metadata xml file
  2. In the ControlUp SAML settings page, click the Import icon and select the file you download from Entra ID in the previous step.Click the Import icon

Step 4 - Configure user attributes in Entra ID

The required user attributes depend on how you use ControlUp and which SAML features you want to use. Read through this section and configure all user attributes that apply to your situation. Note that it is possible that none of the following sections apply to you and the default user attributes in Entra ID contain all the required information. 

IdP-initiated SSO

Follow these steps if you want to use IdP-initiated SSO:

  1. Click Edit in the Attributes & Claims section.
  2. Click Add new claim.
  3. Enter "orgurl" in the Name field and enter the name of your organization in the Source attribute field. For example, if you access ControlUp from app.controlup.com/acmeorg, enter acmeorg for the source attribute.
  4. Click Save.

Enter name of organization in the Source attribute field

Assign user roles based on Entra ID group membership

Follow these steps if you want to assign ControlUp user roles based on Entra ID group membership. Note that this feature requires additional configuration in your ControlUp SAML settings page. Read Microsoft's documentation to learn more about adding group claims.

  1. Click Edit in the Attributes & Claims section.
  2. Click Add a group claim.Add a group claim link
  3. Select the groups to add to the claim and click Save. Note that if you have more than 150 groups in Entra ID, then you might have to manually add the relevant groups to the ControlUp enterprise application in Entra ID and select Groups assigned to the application when configuring the group claim.Select Groups assigned to the application

ControlUp for VDI & DaaS

The attributes in this section are necessary only if you use ControlUp for VDI & DaaS and either of the following is true:

  • You use Real-Time DX version 9.0 or higher AND use LDAP to authorize to the VDI App in the web interface. To learn more about web interface authorization methods, see here.
  • You use a Real-Time DX version lower than 9.0.

If either of the above bullet points applies to you, perform the following steps:

  1. Click Edit in the Attributes & Claims section.
  2. Click Add new claim.
  3. Enter sAMAccountName in the Name field and select user.onpremisessamaccountname in the Source attribute field. Click Save.
  4. Click Add new claim to add a second attribute.
  5. Enter distinguishedName in the Name field and select user.onpremisesdistinguishedname in the Source attribute field. Click Save.

Enter distinguishedName in the name field

Step 5 - Set default role and save changes

In the ControlUp SAML settings page, set the Default user role for DEX user accounts that are automatically provisioned when a new user signs in with SAML for the first time. Click Apply to save your SAML settings.Set the default user role

If you want to set ControlUp user roles based on Entra ID group membership, make sure you go to the SSO Groups settings and follow the steps in Assign User Roles with SSO Groups.

Manual configuration (not required)

The steps above show you how to set up SAML by importing and exporting XML metadata files between ControlUp and Entra ID. If you want to configure SAML manually, you can use these screenshots for reference. Note that this is not required if you followed the steps above.

Manual configuration flow

Click Upload Certificate button

Entity/Issuer ID link