Microsoft Entra ID
This guide walks through configuring Microsoft Entra ID (formerly Azure Active Directory) as a SAML 2.0 identity provider for EnergyCAP SSO.
Prerequisites
Before you begin, ensure you have:
- Global Administrator or Application Administrator role in your Entra ID tenant
- The EnergyCAP SAML settings from the SSO Overview:
- SP SSO URL:
https://sso.energycap.com/saml2/idpresponse - SP Entity ID:
urn:amazon:cognito:sp:us-east-1_laRy9DXoY
- SP SSO URL:
- Contact your EnergyCAP project manager to confirm your organization’s SSO setup is ready
Step 1: Create an Enterprise Application
- Sign in to the Microsoft Entra admin center
- Navigate to Identity > Applications > Enterprise applications
- Click New application
- Click Create your own application
- Enter EnergyCAP as the application name
- Select Integrate any other application you don’t find in the gallery (Non-gallery)
- Click Create
Step 2: Configure SAML Single Sign-On
- In the EnergyCAP enterprise application, navigate to Single sign-on in the left sidebar
- Select SAML as the single sign-on method
Basic SAML Configuration
- Click Edit on the Basic SAML Configuration section
- Set the following values:
| Field | Value |
|---|---|
| Identifier (Entity ID) | urn:amazon:cognito:sp:us-east-1_laRy9DXoY |
| Reply URL (Assertion Consumer Service URL) | https://sso.energycap.com/saml2/idpresponse |
- Click Save
Step 3: Configure Claims
EnergyCAP requires four custom claims in the SAML assertion. By default, Entra sends claims that don’t match EnergyCAP’s expected format, so you need to add custom claims.
- Click Edit on the Attributes & Claims section
Remove default claims (optional)
- You can remove the default additional claims (
emailaddress,givenname,name,surname) to keep things clean, as they will be replaced by the EnergyCAP-specific claims below
Add the EnergyCAP claims
- Click Add new claim and add each of the following four claims:
Claim 1 — Subject
| Field | Value |
|---|---|
| Name | subject |
| Namespace | https://my.energycap.com |
| Source | Attribute |
| Source attribute | user.userprincipalname |
Claim 2 — Email
| Field | Value |
|---|---|
| Name | email |
| Namespace | https://my.energycap.com |
| Source | Attribute |
| Source attribute | user.mail |
Claim 3 — First Name
| Field | Value |
|---|---|
| Name | firstName |
| Namespace | https://my.energycap.com |
| Source | Attribute |
| Source attribute | user.givenname |
Claim 4 — Last Name
| Field | Value |
|---|---|
| Name | lastName |
| Namespace | https://my.energycap.com |
| Source | Attribute |
| Source attribute | user.surname |
When complete, your Attributes & Claims section should show these four claims with the full URI format:
| Claim name | Value |
|---|---|
https://my.energycap.com/subject |
user.userprincipalname |
https://my.energycap.com/email |
user.mail |
https://my.energycap.com/firstName |
user.givenname |
https://my.energycap.com/lastName |
user.surname |
Tip
The
subject claim determines how users are matched to EnergyCAP accounts. If your organization uses samaccountname or another attribute as the primary identifier, use that instead of userprincipalname. Confirm with your EnergyCAP project manager which attribute matches your EnergyCAP user codes.Step 4: Download the Federation Metadata
- In the SAML Certificates section, find Federation Metadata XML
- Click Download to save the metadata XML file
- Send this file to your EnergyCAP project manager — they need it to complete the SSO configuration on the EnergyCAP side
Step 5: Assign Users
Users must be assigned to the EnergyCAP enterprise application before they can authenticate via SSO.
- Navigate to Users and groups in the left sidebar of the EnergyCAP application
- Click Add user/group
- Select the users or groups that should have access to EnergyCAP
- Click Assign
Tip
For a quick rollout, assign a security group that contains all EnergyCAP users rather than adding users individually.
Step 6: Test the Integration
- In the Single sign-on settings page, scroll to the Test single sign-on section
- Click Test and sign in with a user that:
- Is assigned to the EnergyCAP enterprise application
- Has a matching user account in EnergyCAP (by user code or email)
- If authentication succeeds, you should be redirected to EnergyCAP and signed in automatically
If the test fails, check:
- All four claims are configured with the full URI namespace (
https://my.energycap.com/...) - The user has a valid
mailattribute in Entra ID - The Federation Metadata XML has been sent to and processed by your EnergyCAP project manager
- The user exists in EnergyCAP with a matching user code or email address
Summary
| Step | Action |
|---|---|
| 1 | Create a non-gallery enterprise application named “EnergyCAP” |
| 2 | Set SAML SSO with Entity ID and Reply URL |
| 3 | Add four custom claims with https://my.energycap.com namespace |
| 4 | Download Federation Metadata XML and send to EnergyCAP PM |
| 5 | Assign users or groups to the application |
| 6 | Test with an assigned user |