Configure Single Sign-on (SSO) with Entra ID
Joel Bradley avatar
Written by Joel Bradley
Updated over a week ago

Admin privileges required

Applies to: Basic, Business

Enterprise users can access their documentation here. Find your plan.


To use SAML 2.0 Authentication with Entra ID Enterprise Application, go to your Entra ID Portal and add a new Enterprise Application. You need to click on Entra ID β†’ Enterprise applications β†’ Create your own application. If you cannot find the Entra ID menu, look into More Services and search for Entra ID.

NOTE: Before October 2023, Entra ID was called Azure Active Directory (Azure AD).

1. Create a new Application

Now enter the name for your app (e.g. Stack Overflow for Teams), select the non-gallery application option, then click create.

Once the application loads, click on the Single sign-on option. Then click on SAML (or, depending on your Entra ID version, select SAML-based sign-on on the dropdown menu).

2. Configure URLs

Now edit the following URLs under Basic SAML Configuration:

  • Identifier (Entity ID): Must be unique per application. We recommend you set this field to StackOverflowForTeams. You'll enter this value into your Stack Overflow Teams auth settings as Issuer and Audience Restriction. *Before moving on make sure the Entity ID checkbox for "Default" is checked.

  • Reply URL: Enter your Team's Assertion Consumer Service URL into the Reply URL field. You can find this URL in your Authentication settings on Stack Overflow.

3. Configure Attributes

On the user Attributes tab, make sure the user email is being included in the SAML response.

You can also add the following optional attributes. When configured and included in the SAML response, Stack Overflow for Teams automatically updates these user data fields on login.

  • Job Title

  • Department

4. Configure Attributes

In the SAML Signing Certificate section of your Entra ID application, download the Certificate (Base 64) to save the certificate file on your computer.

5. Set up Users and/or Groups

Do not forget to add users and/or groups to the application, under the Users and groups menu.

6. Set up Authentication settings on Stack Overflow for Teams

We must now set up our Team for using this Entra ID enterprise app. Open the Team Auth Settings page on a separate tab: https://stackoverflowteams.com/c/[your_team]/admin/auth-settings

You'll need to fill the following fields according to what you got on your Entra ID App:

  • Single Sign-On Service Url: that's the Login URL of your Entra ID application.

  • Single Sign-On Service Protocol Binding: do not change, leave as POST

  • Issuer and Audience Restriction: that's the Identifier (Entity ID) URI you chose (see above)

  • Display Name Assertion: for Entra ID apps, the display name assertion is usually http://schemas.microsoft.com/identity/claims/displayname or http://schemas.microsoft.com/identity/claims/name. If you want to be 100% sure, check your attributes list.

  • Email Address Assertion: for Entra ID apps, the email assertion is usually http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. If you want to be 100% sure, check your Federation Metadata xml, and search for Email. The correct value will be whatever is described in the Uri attribute.

  • Leave all checkboxes unchecked

  • Identity Provider Certificates: open the certificate file you downloaded from your Entra ID app and copy/paste the contents of that file.

(Optional) Automate the renewal of certificates

Once you have set up SSO according to the above instructions, you can set up a Federation Metadata URL to automate the renewal of the Identity Provider Certificates. If you choose not to, the certificate will have to be updated by an admin every year, or access to the Team will be interrupted.

To set this up, click on the Automatically update certificates periodically checkbox, and paste your Federation Metadata URL from Entra ID, into the field that appears. Click Save.


Need help? Submit an issue or question through our support portal.

Did this answer your question?