Overview
This guide walks you through configuring Single Sign-On (SSO) between Microsoft Entra ID (formerly Azure Active Directory) and Sysarb using SAML 2.0. Follow this guide together with your internal IT — some steps are done in the Microsoft Entra admin center, others in Sysarb.
For the general SSO overview, responsibilities, and troubleshooting, see SSO Setup Guide.
⚠️ Important: Sysarb does not have a separate SSO test mode. As soon as you enable SSO it becomes the only login method — so double-check every value in Entra and Sysarb before flipping the toggle. If SSO is enabled with incorrect settings, all users will be locked out. In that case, contact [email protected] immediately.
Before you begin
You will need:
A Global Administrator or Application Administrator role in Microsoft Entra ID
Administrator access in Sysarb
Access to both systems at the same time (we recommend two windows side by side)
Approximately 20–30 minutes for the configuration
Flow overview
Step | Where it's done | Owner |
1. Create the Enterprise Application in Entra | Microsoft Entra admin center | Internal IT |
2. Get SP metadata from Sysarb | Sysarb | Sysarb administrator |
3. Configure SAML settings in Entra | Microsoft Entra admin center | Internal IT |
4. Assign users to the application | Microsoft Entra admin center | Internal IT |
5. Get IdP metadata from Entra | Microsoft Entra admin center | Internal IT |
6. Add IdP metadata in Sysarb | Sysarb | Sysarb administrator |
7. Enable SSO in Sysarb | Sysarb | Sysarb administrator |
Step 1 — Create the Enterprise Application in Microsoft Entra
Sign in to the Microsoft Entra admin center.
In the left menu, go to Applications → Enterprise applications.
Click + New application.
Click + Create your own application.
Enter the name: Sysarb.
Select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.
Step 2 — Get SP metadata from Sysarb
Before configuring SAML in Entra, you need Sysarb's Service Provider details. The easiest way is to download the full metadata file — you'll use it directly in Step 3a.
Sign in to Sysarb as an administrator.
Go to Settings → System → Single sign-on.
In the Our SP data section, click Download SP metadata and save the XML file locally.
Also note the Direct login link (Sign on URL) — it is not part of the metadata file and must be pasted manually into Entra in Step 3a.
💡 Good to know: The metadata file contains Entity ID (Identifier) and Assertion Consumer Service (ACS) URL (Reply URL). When you upload it to Entra, those fields are filled in automatically — only the Sign on URL needs to be entered by hand.
Step 3 — Configure SAML settings in Entra
In Entra, go back to your new Sysarb application under Enterprise applications.
In the left menu, click Single sign-on.
Choose SAML as the method.
3a. Basic SAML Configuration
The fastest and safest approach is to upload the SP metadata file from Step 2. Identifier and Reply URL will be filled in automatically — only the Sign on URL needs to be added manually.
Primary — upload the SP metadata file:
Click Upload metadata file at the top of the Single sign-on page in Entra.
Select the XML file you downloaded in Step 2.
Click Add. Entra automatically fills in Identifier (Entity ID) and Reply URL (ACS).
In the Basic SAML Configuration panel, add the Sign on URL manually — paste the Direct login link value from Sysarb.
Leave Relay State and Logout Url empty (unless you use Single Logout).
Click Save.
Fallback — fill in the values manually:
If the upload fails for any reason, click Edit in the Basic SAML Configuration panel and fill in all values by hand:
Field in Entra | Value from Sysarb |
Identifier (Entity ID) | The Entity ID value from Sysarb |
Reply URL (Assertion Consumer Service URL) | The ACS URL value from Sysarb |
Sign on URL | The Direct login link value from Sysarb |
Relay State (optional) | Leave empty |
Logout Url (optional) | Leave empty unless you use Single Logout |
Click Save.
3b. Attributes & Claims
Sysarb uses email address as the unique identifier — no additional claims are required. The default Entra settings usually work as-is. The only value that must match is Name ID:
Claim | Value |
Unique User Identifier (Name ID) | user.mail (or user.userprincipalname if email is missing) |
If the Name ID format needs to be changed: select Name ID format → Email address.
💡 Important: verify that the same email address exists in both Entra and Sysarb — that's the link that matches the user across systems.
Step 4 — Assign users to the application
Only users assigned to the Sysarb application will be able to sign in via SSO.
In the application, go to Users and groups in the left menu.
Click + Add user/group.
Select the users or groups that should have access to Sysarb. We recommend creating a security group, e.g. Sysarb-Users, and assigning that.
Click Assign.
💡 Tip: Include your IT contact and a trusted Sysarb administrator in the assignment so the right people can access the system right after activation.
Step 5 — Get IdP metadata from Entra
Go back to the Single sign-on page in the application.
Scroll down to section 3. SAML Certificates.
Click Download next to Federation Metadata XML.
Save the XML file — you'll upload it to Sysarb in the next step.
Alternatively: If your Sysarb configuration requires manual entry, also note:
Login URL (Entry point)
Microsoft Entra Identifier (Issuer)
Certificate (Base64) — download via "Certificate (Base64)"
Step 6 — Add IdP metadata in Sysarb
Back in Sysarb under Settings → System → Single sign-on.
In the Your IdP data section, click Edit (bottom right).
Choose one of two options:
Option 1 — Upload the Federation Metadata XML: click Choose file and upload the XML file from Step 5. The fields are filled in automatically.
Option 2 — Enter manually: Entry point = Login URL from Entra; Certificate = the contents of the Base64 certificate from Entra.
Click Save.
Step 7 — Enable SSO
Before you flip the switch: double-check that all values in Entra and Sysarb match. As soon as the toggle is on, every user will go through SSO and password login is disabled.
In Sysarb, go to Settings → System → Single sign-on.
At the top of the page, switch on Enable single sign-on.
Confirm in the dialog.
If something fails right after activation, see Troubleshooting below or contact Sysarb support immediately.
Troubleshooting (Entra-specific)
Symptom | Likely cause | Action |
AADSTS50105: Application not assigned | The user is not assigned to the Sysarb application in Entra | Add the user under Users and groups in Entra (Step 4) |
AADSTS700016: Application not found in directory | Incorrect Entity ID / Identifier | Compare Sysarb's Entity ID with the "Identifier" field in Entra |
AADSTS750054: SAMLRequest or SAMLResponse must be present | User is opening the ACS URL directly instead of the Sign-on URL | Use the Direct login link from Sysarb |
Login succeeds but the user isn't found in Sysarb | The email address in the Entra Name ID doesn't match the Sysarb user's email | Verify that user.mail is used as Name ID and that the email address is identical in both systems |
Certificate error / "Invalid signature" | The certificate stored in Sysarb is out of date (Entra rotates certificates after ~3 years) | Download a fresh Federation Metadata XML and update Sysarb |
What happens after activation?
All future logins go through Entra
Passwords in Sysarb are disabled — users can't reset or use them
Deprovisioning happens via Entra: removing the user's assignment or disabling the account blocks login to Sysarb. The user remains in Sysarb until removed manually or via SCIM
SCIM provisioning is a separate step — see SCIM Integration Guide
Support
Reach Sysarb at [email protected] or directly in the interface. If you are in an active implementation, your customer success contact is also available to help.
For questions about your Entra configuration, contact your internal IT or Microsoft support.