> ## Documentation Index
> Fetch the complete documentation index at: https://enterprise-docs.dify.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring SAML with Azure Entra ID

This guide will use Azure Entra ID as the SSO identity provider, connecting to the Dify Enterprise using the SAML protocol.

## 1. Create a new application in Azure

Access the Azure admin backend page, navigate to the Applications page, and click on New application.

![](https://r2.xmsex.net/2024/10/4f52715ff661e6c9430af09b4b2a4736.png)

Select **Create your own application**, enter an application name such as dify, then choose **Integrate any other application you don't find in the gallery (Non-gallery)**, and click **Create**.

![](https://r2.xmsex.net/2024/10/b823ecfaa94d18ba0ac794cc0290dc7f.png)

Next, you need to assign visible members to this application. Only authorized Azure members will be allowed to log in to the Dify Enterprise. Select **Users and groups** on the left side of the application, then click **Add user/group**.

![](https://r2.xmsex.net/2024/10/ed3c6f5de21c75e2261bf05d055ffb9e.png)

## 2. Configure the application

Click on the **Single sign-on** option under **Manage** on the left side of the application, then select the **SAML**.

![](https://r2.xmsex.net/2024/10/7a5f653e751bf20c01c7eb53cc79ddde.png)

Edit the SAML configuration, fill in the Dify Enterprise's ACS URL in both the Entity ID and Reply URL fields.

![](https://r2.xmsex.net/2024/10/969f69f97c35609e7aead84b1a19aa93.png)

System administrators need to go to the Authentication page of the Dify Enterprise, click "+ New Identity Provider → New SAML Provider", and then obtain the ACS URL.

![](https://r2.xmsex.net/2024/10/f66303a3902d7fff58c76228f6485386.png)

It typically follows this format:

```url theme={null}
https://[your-dify-enterprise-url]/console/api/enterprise/sso/oidc/callback
```

After obtaining the ACS URL, switch back to the Azure application page, download the Certificate from the SAML Certificates tab; also copy the Login URL from the set up page. These two parameters need to be filled in the Dify Enterprise admin backend.

![](https://r2.xmsex.net/2024/10/ab7e3bd7067858ec4627d1d863244e81.png)

**Advanced configuration: Edit attributes and claims**

1. Click on Unique User Identifier (Name ID) under Required claim

![](https://r2.xmsex.net/2024/10/f54bfe3ad7baf5fe9027c0a1f46142dd.png)

2. Change the source attribute to `user.mail`

![](https://r2.xmsex.net/2024/10/bbd0bed66d165b0d4bf209c2a414783f.png)

## 3. Complete the configuration on Dify

System administrators click on the Authentication page of the Dify Enterprise, click "+ New Identity Provider → New SAML Provider",

* Fill in the Azure application's Login URL in the IdP SSO URL field;
* Fill in the content of the downloaded Certificate file in the X509 Signing Certificate field, use the following format:

  ```certificate theme={null}
  -----BEGIN CERTIFICATE-----
  {certificate}
  -----END CERTIFICATE-----
  ```

![](https://r2.xmsex.net/2024/10/556e3d68efbc742711e4313534a2e95c.png)

## 4. Enable SSO Enforcement

After completing the SAML Provider configuration, tap the toggle button to the right of **"Workspaces SSO"** to enable SSO authentication for your team.

Once enabled, members of your organization must complete the SSO authentication before accessing resources in the Dify Enterprise
