This guide walks an IT admin through configuring Microsoft Entra ID (formerly “Azure AD”) as the SAML Identity Provider (IdP) for Vosaic.

What you’ll need

  • Admin access to Vosaic (to the SSO settings page)
  • Admin access to Microsoft Entra admin center
  • Ability to add a TXT record to your domain’s DNS (for domain verification)

Part A — Configure SSO in Vosaic (domain verification + Vosaic endpoints)

1) Open Vosaic SSO settings

In Vosaic, go to Settings → SSO (SAML) (or your SSO page).

2) Verify your domain

  1. Copy the TXT record value shown on the Vosaic SSO page.
  2. Add it as a TXT record in your domain’s DNS.
  3. Back in Vosaic, click Verify Domain.

Once verified, Vosaic will show the SAML configuration details you’ll use in Entra ID, including:

  • Entity / Metadata base URL: https://vosaic.com/Saml2
  • ACS (Reply) URL: https://vosaic.com/Saml2/Acs

Tip: DNS changes can take time to propagate. If verification fails, confirm the TXT record is published for the correct domain and try again.

Part B — Create the SAML application in Microsoft Entra ID (Azure AD)

3) Create an Enterprise Application

  1. Go to Microsoft Entra admin center
  2. Navigate to Identity → Applications → Enterprise applications
  3. Select New application
  4. Choose Create your own application
  5. Name it something like Vosaic SSO
  6. Select Integrate any other application you don’t find in the gallery (Non-gallery) and create it

(Microsoft’s “add enterprise application” flow is documented here.)

Part C — Configure SAML Single Sign-On in Entra

4) Enable SAML-based Single sign-on

  1. In your new Vosaic SSO enterprise app, select Single sign-on
  2. Choose SAML

Microsoft’s SAML SSO setup screen and “Basic SAML Configuration” section are described here.

5) Fill in “Basic SAML Configuration”

Click Edit under Basic SAML Configuration and set:

  • Identifier (Entity ID): https://vosaic.com/Saml2
  • Reply URL (ACS URL): https://vosaic.com/Saml2/Acs

Save your changes.

If your organization requires a specific “Sign on URL,” you can usually leave it blank for SP-initiated flows unless your IdP team has a reason to set it.

Part D — Configure claims (attributes) Vosaic requires

Vosaic requires three attributes to be sent in the SAML assertion:

  • FirstName
  • LastName
  • Email

6) Edit “Attributes & Claims”

  1. In the SAML configuration page, find Attributes & Claims
  2. Click Edit
  3. Ensure NameID is an email-style identifier (recommended: user.mail)

Then add / edit claims so the claim names match exactly what you’ll type into Vosaic:

Suggested mapping:

Required by VosaicClaim name in EntraSuggested source attribute
First NameFirstNameuser.givenname
Last NameLastNameuser.surname
EmailEmailuser.mail 

These claim names (FirstName, LastName, Email) must exactly match what’s entered in Vosaic.

Part E — Collect IdP values from Entra and paste them into Vosaic

Vosaic will ask you for:

  • SAML Entity ID
  • Metadata URL
  • Endpoint (IdP Single Sign-On URL)
  • Certificate

7) Copy IdP values from Entra

On the SAML setup page in Entra, locate the section that provides IdP details. You’ll typically use:

  • Microsoft Entra Identifier → paste into Vosaic: SAML Entity ID
  • Login URL → paste into Vosaic: Endpoint / IdP SSO URL
  • Federation Metadata XML URL → paste into Vosaic: Metadata URL

Microsoft documents Entra federation metadata endpoints here.

8) Download the SAML signing certificate

  1. In the SAML setup page, find SAML Certificates
  2. Download Certificate (Base64)

Then paste/upload that certificate into Vosaic: Certificate.

Microsoft’s certificate download options (including Base64) are described here.

Part F — Finish setup in Vosaic (attribute “claim names”)

9) Enter IdP values and map fields in Vosaic

Back in Vosaic → SSO (SAML):

  1. Paste in:
    • SAML Entity ID
    • Metadata URL
    • Endpoint (IdP SSO URL)
    • Certificate
  2. Under Map Fields, enter the claim names you configured in Entra:
    • First Name: FirstName
    • Last Name: LastName
    • Email: Email
  3. Click Save Settings

Part G — Assign users and test

10) Assign users/groups in Entra

In the Enterprise App:

  1. Go to Users and groups
  2. Assign the users/groups who should have access

11) Test sign-in

Use Entra’s Test button in the SAML SSO screen (if available), or simply try signing into Vosaic via your organization’s app portal / SSO entry point.

What admins should verify BEFORE testing

Have the customer confirm:

  1. Every Vosaic user has mail populated in Entra
    • Entra admin center → Users → select user → Properties → Email
  2. The value is a real, routable email address
  3. It matches what they expect users to sign in with (or at least receive email at)

If they skip this step, SSO will look “broken” when it’s actually a directory data issue.

Common Azure setups that break SSO with “real email” requirements

These are worth calling out explicitly in support tickets:

  • Shared mailboxes without mail
  • Student accounts with login-only UPNs
  • Guest users
  • Users synced from on-prem AD where mail was never set

Optional (but smart) support-article wording you may want to add

You might want to include something like this verbatim in the Azure article:

Email requirement

Vosaic requires a valid email address for each user. In Microsoft Entra ID, the SAML Email claim must be mapped to user.mail.

If a user does not have an email address populated in Entra ID, SSO login and automatic provisioning will fail.

That saves you a lot of back-and-forth later.

Troubleshooting quick hits

  • Domain won’t verify in Vosaic: Confirm TXT record is on the correct domain and publicly resolvable.
  • “User not found” / provisioning issues: Verify the SAML assertion includes Email, FirstName, LastName and that your claim names match what you entered in Vosaic.
  • Certificate errors: Make sure you used Base64 format (not raw/binary).