Configuring Microsoft Entra SAML authentication
Omni supports service provider (SP)-initiated SAML authentication with Microsoft Entra (formerly Active Directory). When enabled, users in your organization can log into Omni using their Microsoft Entra credentials.
Requirements
To follow the steps in this guide, you'll need:
- Omni Organization Admin permissions
- Permissions in Microsoft Entra that allow you to:
- Access the admin panel
- Add & configure Microsoft Entra applications
- Assign users to applications
Limitations
User sessions will expire after 24 hours. This is not currently configurable.
1. Open the Omni authentication settings
In your Omni instance, navigate to Settings > Authentication and locate the SAML section.
Leave this page open - you'll need it to complete the setup.
2. Create an Omni application in Entra
- Log in to the Microsoft Entra admin panel.
- Navigate to Applications > Enterprise Applications.
- Click New application, then Create your own application.
- Name the application
Omni
. - Select the Integrate any other application you don't find in the gallery (Non-gallery) option.
- Click Create.
3. Configure the Entra Omni application
- Click the Entra Omni application you created in the previous step.
- Navigate to the Manage > Single sign-on configuration section.
- Select SAML sign-on as the method.
- In the Basic SAML configuration section, click Edit and modify these settings:
- Identifier (Entity ID) - Enter the full hostname of your Omni instance, e.g.
myorg.omniapp.co
. Do not includehttps://
. - Reply URL (Assertion Consumer Service URL) - Copy and paste the value of the Single sign-on URL field from the Omni Authentication settings you opened in step 1.
- Identifier (Entity ID) - Enter the full hostname of your Omni instance, e.g.
- Save the changes to the settings.
Next, edit the application's Attributes & Claims. The requires three claims, outlined as follows:
Description | Name | Namespace | Source | Source attribute | |
---|---|---|---|---|---|
Claim 1 | User's email address | email_address | Leave blank | Attribute | The attribute you use to identify a user's email address. Usually user.email or user.mail . |
Claim 2 | User's first name | first_name | Leave blank | Attribute | user.first_name |
Claim 3 | User's last name | last_name | Leave blank | Attribute | user.surname |
The name for a claim must match exactly the value in the Name column in the above table. For example, first_name
is valid but firstName
is not.
Create and configure the claims for the application until you have one for each of the claims outlined in the previous table.
4. Assign yourself to the Entra Omni application
In this step, you'll assign the Entra Omni application to yourself. This will allow you to test the setup in Omni before rolling everything out to your organization.
Follow the steps in the Entra documentation to assign yourself to the Omni application.
5. Download the signing certificate
- In the Entra Omni application's settings, locate the SAML Certificates section.
- Click the Base64 download link to download the certificate.
- Locate the certificate file on your computer and change the extension to
.txt
. This will allow you to open it. - Keep the file open - you'll need it to complete the next step.
6. Configure Omni authentication settings
Navigate back to the Omni authentication settings (Settings > Authentication) to complete the setup:
-
Entity ID / Issuer - Copy and paste the Microsoft Entra ID Identifier value from Entra
-
SSO (Sign on) URL - Copy and paste the Login URL value from Entra
-
Certificate - Copy and paste the contents of the certificate you downloaded in step 4.
warningThe certificate must include
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
, for example:-----BEGIN CERTIFICATE-----
[Your certificate contents]
-----END CERTIFICATE-----If the certificate you paste into Omni doesn't have these values, add them in the Certificate field so that it looks like the above example.
-
Enable SAML login - Toggle this setting to on to enable SAML authentication
When finished, click Save SAML changes.

7. Test the setup
Test your SAML setup by logging out of Omni. On the Omni login page, you should see a Log in with SAML button. Click the button to log in using SAML.
8. Assign users to the Omni appication
User groups can be pushed from Microsoft Entra to Omni using SCIM. Check out the Entra-Omni SCIM guide for more information.
Once you confirm everything is working as expected, you can assign the Omni application to other people and groups in your organization.
Follow the steps in the Entra documentation to assign users to the Omni application.
What's next?
Setting up SAML allows your users to authenticate to Omni using their Microsoft Entra credentials. With this setup completed, you can also: