Skip to content
  • There are no suggestions because the search field is empty.

SSO Configuration Steps: Microsoft Entra ID (Azure Active Directory)

Use this guide to configure SAML SSO between Microsoft Entra ID (formerly Azure AD) and K1x.

What you’ll need from K1x

Before you begin, you need the K1x SAML service provider (SP) values:

  • Identifier (Entity ID)

  • Reply URL (ACS URL)

If you don’t have these values, contact your K1x technical contact/support and request K1x SAML SP metadata.

K1x SAML requirements (important)

K1x requires the following in the SAML assertion:

  • NameID: must match the user’s email address

  • Required claims:

    • Email

    • First Name

    • Last Name

Step 1: Create the Enterprise Application in Entra

  1. In the Microsoft Entra admin center, go to Enterprise applications.

  2. Select New application.

  3. Choose Create your own application.

  4. Name the app (example: K1x SSO).

  5. Select Integrate any other application you don't find in the gallery (Non-gallery).

  6. Click Create.

Step 2: Enable SAML SSO

  1. In your new application, go to Single sign-on.

  2. Choose SAML.

Step 3: Configure Basic SAML settings

  1. In Basic SAML Configuration, click Edit.

  2. Set:

    • Identifier (Entity ID) = (from K1x)

    • Reply URL (Assertion Consumer Service URL) = (from K1x)

  3. Click Save.

Step 4: Configure Attributes & Claims (NameID + required claims)

  1. On the SAML configuration page, go to Attributes & Claims and click Edit.

  2. Set NameID to email

  3. Set Unique User Identifier (Name ID) to an email source:

    • Source attribute: user.mail 

    • If user.mail is not populated in your tenant, use: user.userprincipalname

Ensure these required claims are present

Make sure the SAML token includes these attributes (names may vary, but the values must map correctly):

Claim K1x needs Recommended Entra source attribute
Email user.mail (fallback: user.userprincipalname)
First Name user.givenname
Last Name user.surname

Click Save when finished.

Step 5: Download the signing certificate and IdP Federation Metadata XML

  1. On the SAML page, locate SAML Signing Certificate and the Federation Metadata file.

  2. Download Certificate (Base64).

  3. Download the Federation Metadata XML (sometimes labeled Federation Metadata XML or available via a metadata URL).

Step 6: Collect Entra SSO details to send to K1x

Send the following to your K1x technical contact/support:

  • Login URL

  • Microsoft Entra Identifier (formerly “Azure AD Identifier”)

  • Certificate (Base64) (downloaded above)

  • Federation Metadata XML file (attached)

  • (Optional but helpful) The metadata URL, if your tenant provides one

Tip: These values are found on the same SAML configuration page in Entra.

Step 7: Assign users/groups in Entra (required for testing)

If you’re using assignment-based access (common default):

  1. Go to Enterprise applications → your K1x app.

  2. Select Users and groups.

  3. Add the users/groups who should be able to sign in.

Test SSO

After K1x confirms the configuration is complete, test with a user who:

  • Is assigned to the app in Entra

  • Has mail or userprincipalname populated

  • Has givenname and surname populated

Troubleshooting

  • User gets an access/assignment error in Entra: Ensure the user/group is assigned to the Enterprise App.

  • User created but missing profile fields in K1x: Verify the SAML assertion includes First Name, Last Name, and Email claims.

  • Email claim/NameID is blank: Many tenants don’t populate user.mail. Use user.userprincipalname as the source for NameID and email claim.

  • Sign-in fails after “successful” configuration: Re-check that the Identifier (Entity ID) and Reply URL (ACS URL) match the K1x values exactly (no trailing slashes or typos).