> ## Documentation Index
> Fetch the complete documentation index at: https://enterprise-docs.dify.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring SAML with Azure

This document will use Azure Entra ID as the SSO identity provider to demonstrate how to enable SAML authentication protocol for Dify Enterprise. By enabling this feature, the enterprise login page will use a unified identity authentication entry to enhance security. For enterprise internal users, there's no need to enter complex passwords - they can log in using organizational accounts to pass verification, simplifying the login process.

## 1. Create a New Application in Azure

Access the Azure administrator backend page, navigate to the Applications page, and click New application.

![](https://assets-docs.dify.ai/2024/11/4f52715ff661e6c9430af09b4b2a4736.png)

Select **Create your own application**, enter an application name such as "dify", then select **Integrate any other application you don't find in the gallery (Non-gallery)**, then click Create.

![](https://assets-docs.dify.ai/2024/11/b823ecfaa94d18ba0ac794cc0290dc7f.png)

Next, you need to assign visible members to this application. Only authorized Azure members will be allowed to log in to Dify Enterprise. Select **Users and groups** on the left side of the application, then click **Add user/group**.

![](https://assets-docs.dify.ai/2024/11/ed3c6f5de21c75e2261bf05d055ffb9e.png)

## 2. Configure the Application

Click the Single sign-on option under Manage on the left side of the application, then select the SAML option.

![](https://assets-docs.dify.ai/2024/11/7a5f653e751bf20c01c7eb53cc79ddde.png)

Edit the SAML configuration and fill in the Dify Enterprise ACS URL in the **Entity ID** and **Reply URL** fields.

<div style={{ display: 'flex', gap: '20px' }}>
  <Frame>
    <img src="https://assets-docs.dify.ai/2024/11/639bb89e402f8f20078d6c7a14ca0297.png" alt="Image 1" />
  </Frame>

  <Frame>
    <img src="https://assets-docs.dify.ai/2024/11/236a4995e4fe338d12b41993fc237611.png" alt="Image 2" />
  </Frame>
</div>

<Tabs>
  <Tab title="Workspace">
    Click **Admin Backend** → **Identity Authentication** → **Member** → **SSO Identity Provider** → **New Identity Provider** → **New SAML Provider**, and get the Callback URL at the bottom.

    It usually follows this format:

    ```bash theme={null}
    https://[your-dify-enterprise-url]/console/api/enterprise/sso/saml/acs
    ```
  </Tab>

  <Tab title="Web App Members (For Internal Users)">
    Click **Admin Backend** → **Identity Authentication** → **Member** → **SSO Identity Provider** → **New Identity Provider** → **New SAML Provider**, and get the Callback URL at the bottom.

    It usually follows this format:

    ```bash theme={null}
    https://[your-app-url]/api/enterprise/sso/members/saml/acs
    ```
  </Tab>

  <Tab title="WebApp External Users (For External Users)">
    Click **Admin Backend** → **Identity Authentication** → **Web App** → **SSO Identity Provider** → **New Identity Provider** → **New SAML Provider**, and get the Callback URL at the bottom.

    It usually follows this format:

    ```bash theme={null}
    https://[your-app-url]/api/enterprise/sso/saml/acs
    ```
  </Tab>
</Tabs>

After obtaining the ACS URL, switch back to the Azure application page, download the Certificate in the SAML Certificates tab; also copy the Login URL from the setup page. Next, you need to fill these two parameters into the Dify Enterprise admin backend.

![](https://assets-docs.dify.ai/2024/11/ab7e3bd7067858ec4627d1d863244e81.png)

### Advanced Configuration: Edit Attributes and Claims

1. Click **Unique User Identifier (Name ID)** under **Required claim**.

![](https://assets-docs.dify.ai/2024/11/97a46bf1b5264ef72ad4b202fdf2a772.png)

2. Change the source attribute to `user.mail`.

![](https://assets-docs.dify.ai/2024/11/183dd293f17f87081ac4c2390b583fb0.png)

## 3. Complete Dify Enterprise Backend Configuration

System administrator clicks on the Authentication page of Dify Enterprise, click **"+ New Identity Provider → New SAML Provider"**,

<Tabs>
  <Tab title="Workspace">
    Click **Admin Backend** → **Identity Authentication** → **Member** → **SSO Identity Provider** → **New Identity Provider** → **New SAML Provider**, and get the Callback URL at the bottom.

    * Fill in the Login URL from the Azure application in the IdP SSO URL field;
    * Fill in the content from the downloaded Certificate file in the X509 Signing Certificate field;

    ![](https://assets-docs.dify.ai/2025/06/a45a2d156196ae163e7944cdad7ec2da.png)

    It usually follows this format:

    ```bash theme={null}
    https://[your-dify-enterprise-url]/console/api/enterprise/sso/saml/acs
    ```
  </Tab>

  <Tab title="WebApp Members (For Internal Users)">
    Click **Admin Backend** → **Identity Authentication** → **Member** → **SSO Identity Provider** → **New Identity Provider** → **New SAML Provider**, and get the Callback URL at the bottom.

    * Fill in the Login URL from the Azure application in the IdP SSO URL field;
    * Fill in the content from the downloaded Certificate file in the X509 Signing Certificate field;

    ![](https://assets-docs.dify.ai/2025/06/a45a2d156196ae163e7944cdad7ec2da.png)

    It usually follows this format:

    ```bash theme={null}
    https://[your-app-url]/api/enterprise/sso/members/saml/acs
    ```
  </Tab>

  <Tab title="WebApp External Users (For External Users)">
    Click **Admin Backend** → **Identity Authentication** → **Web App External User Authentication** → **SSO Identity Provider** → **New Identity Provider** → **New SAML Provider**, and get the Callback URL at the bottom.

    * Fill in the Login URL from the Azure application in the IdP SSO URL field;
    * Fill in the content from the downloaded Certificate file in the X509 Signing Certificate field;

    ![](https://assets-docs.dify.ai/2025/06/a8451628cb9a659f55164fa10307ca12.png)

    It usually follows this format:

    ```bash theme={null}
    https://[your-app-url]/api/enterprise/sso/saml/acs
    ```
  </Tab>
</Tabs>

## 4. Enable SSO Authentication

After completing the basic SSO configuration, system administrators can enable SSO authentication for internal members and external users separately to unify identity authentication processes.

### For Internal Users

If you want only members who have passed enterprise identity authentication to access the Dify workspace and Web App, click **Authentication** → **Members** and enable the SSO authentication toggle.

* **Workspace**: Requires authorization when logging into the Dify Enterprise workspace.
* **Web App**: Requires verification when using applications created by the current Dify Enterprise.

### For External Users

If you want to enable authentication for external users of Web Apps (such as customers and partners) to ensure that only trusted users can access applications, click **Authentication** → **Web App** and enable the SSO authentication toggle.

* Fill in the Login URL from the Azure application in the IdP SSO URL field;
* Fill in the content from the downloaded Certificate file in the X509 Signing Certificate field;

![](https://assets-docs.dify.ai/2024/11/556e3d68efbc742711e4313534a2e95c.png)
