Skip to main content

Configuring Microsoft Entra SAML authentication

Omni supports service provider (SP)-initiated SAML authentication with Microsoft Entra (formerly Active Directory). When enabled, users in your organization can log into Omni using their Microsoft Entra credentials.

Requirements

To follow the steps in this guide, you'll need:

  • Omni Organization Admin permissions
  • Permissions in Microsoft Entra that allow you to:
    • Access the admin panel
    • Add & configure Microsoft Entra applications
    • Assign users to applications

Limitations

User sessions will expire after 24 hours. This is not currently configurable.

1. Open the Omni authentication settings

In your Omni instance, navigate to Settings > Authentication and locate the SAML section.

Leave this page open - you'll need it to complete the setup.

2. Create an Omni application in Entra

  1. Log in to the Microsoft Entra admin panel.
  2. Navigate to Applications > Enterprise Applications.
  3. Click New application, then Create your own application.
  4. Name the application Omni.
  5. Select the Integrate any other application you don't find in the gallery (Non-gallery) option.
  6. Click Create.

3. Configure the Entra Omni application

  1. Click the Entra Omni application you created in the previous step.
  2. Navigate to the Manage > Single sign-on configuration section.
  3. Select SAML sign-on as the method.
  4. In the Basic SAML configuration section, click Edit and modify these settings:
    • Identifier (Entity ID) - Enter the full hostname of your Omni instance, e.g. myorg.omniapp.co. Do not include https://.
    • Reply URL (Assertion Consumer Service URL) - Copy and paste the value of the Single sign-on URL field from the Omni Authentication settings you opened in step 1.
  5. Save the changes to the settings.

Next, edit the application's Attributes & Claims. The requires three claims, outlined as follows:

DescriptionNameNamespaceSourceSource attribute
Claim 1User's email addressemail_addressLeave blankAttributeThe attribute you use to identify a user's email address. Usually user.email or user.mail.
Claim 2User's first namefirst_nameLeave blankAttributeuser.first_name
Claim 3User's last namelast_nameLeave blankAttributeuser.surname
note

The name for a claim must match exactly the value in the Name column in the above table. For example, first_name is valid but firstName is not.

Create and configure the claims for the application until you have one for each of the claims outlined in the previous table.

4. Assign yourself to the Entra Omni application

In this step, you'll assign the Entra Omni application to yourself. This will allow you to test the setup in Omni before rolling everything out to your organization.

Follow the steps in the Entra documentation to assign yourself to the Omni application.

5. Download the signing certificate

  1. In the Entra Omni application's settings, locate the SAML Certificates section.
  2. Click the Base64 download link to download the certificate.
  3. Locate the certificate file on your computer and change the extension to .txt. This will allow you to open it.
  4. Keep the file open - you'll need it to complete the next step.

6. Configure Omni authentication settings

Navigate back to the Omni authentication settings (Settings > Authentication) to complete the setup:

  • Entity ID / Issuer - Copy and paste the Microsoft Entra ID Identifier value from Entra

  • SSO (Sign on) URL - Copy and paste the Login URL value from Entra

  • Certificate - Copy and paste the contents of the certificate you downloaded in step 4.

    warning

    The certificate must include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, for example:

    -----BEGIN CERTIFICATE-----
    [Your certificate contents]
    -----END CERTIFICATE-----

    If the certificate you paste into Omni doesn't have these values, add them in the Certificate field so that it looks like the above example.

  • Enable SAML login - Toggle this setting to on to enable SAML authentication

When finished, click Save SAML changes.

Omni authentication settings page

7. Test the setup

Test your SAML setup by logging out of Omni. On the Omni login page, you should see a Log in with SAML button. Click the button to log in using SAML.

8. Assign users to the Omni appication

Looking to assign user groups?

User groups can be pushed from Microsoft Entra to Omni using SCIM. Check out the Entra-Omni SCIM guide for more information.

Once you confirm everything is working as expected, you can assign the Omni application to other people and groups in your organization.

Follow the steps in the Entra documentation to assign users to the Omni application.

What's next?

Setting up SAML allows your users to authenticate to Omni using their Microsoft Entra credentials. With this setup completed, you can also: