search
Currents.devGitHubChangelog

Azure AD / Entra ID

Setting up SAML2.0 SSO with Azure AD / Microsoft Entra ID as an IdP for Currents

circle-info

Enabling SSO will affect all users of your organization, users would not be able to sign in to Currents using a different authorization method when SSO is enabled.

hashtag
Supported Features

  • SP-initiated SSO (Single Sign-On)

  • Just-In-Time provisioning

hashtag
Important: Azure AD Default Behavior

circle-exclamation

Azure AD's default SAML configuration uses an opaque persistent identifier (Object ID) for NameID, not the user's email. Additionally, Azure AD may send email addresses with mixed-case characters.

Currents requires:

  • NameID to be the user's email address in lowercase

  • The identifier claim to match NameID exactly

You must configure claim transformations as described below to ensure correct operation.

hashtag
Setup Steps

1

hashtag
Create Enterprise Application

  1. Sign in to the Azure Portalarrow-up-right

  2. Navigate to Microsoft Entra ID (formerly Azure Active Directory)

  3. Go to Enterprise applications > New application

  4. Click Create your own application

  5. Enter a name (e.g., "Currents") and select Integrate any other application you don't find in the gallery (Non-gallery)

  6. Click Create

2

hashtag
Configure SAML Single Sign-On

  1. In your new application, go to Single sign-on in the left menu

  2. Select SAML as the single sign-on method

  3. In the Basic SAML Configuration section, click Edit and set:

Setting
Value

Identifier (Entity ID)

urn:amazon:cognito:sp:us-east-1_Z9TVEnj0k

Reply URL (ACS URL)

https://auth.currents.dev/saml2/idpresponse

  1. Click Save

3

hashtag
Configure User Attributes and Claims

This is the most critical step. You must configure claims to send the user's lowercase email as both NameID and the identifier attribute.

  1. In the Attributes & Claims section, click Edit

Configure NameID

  1. Click on the Unique User Identifier (Name ID) claim

  2. Set the following:

    • Source: Attribute

    • Source attribute: user.mail

    • Name identifier format: Persistent

  3. Expand Manage transformation and add a transformation:

    • Transformation: ToLowercase()

  4. Click Save

Add Required Claims

Add the following claims by clicking Add new claim for each:

Claim Name
Namespace
Source Attribute
Transformation

emailaddress

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.mail

ToLowercase()

identifier

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.mail

ToLowercase()

name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.displayname

circle-info

The ToLowercase() transformation is essential. Without it, users with mixed-case email addresses will encounter authentication errors.

4

hashtag
Download Federation Metadata

  1. In the SAML Certificates section, locate Federation Metadata XML

  2. Click Download to save the metadata file

  3. Open the downloaded XML file and verify it contains both HTTP-POST and HTTP-Redirect bindings:

<SingleSignOnService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://login.microsoftonline.com/..." />
<SingleSignOnService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
    Location="https://login.microsoftonline.com/..." />
5

hashtag
Share Configuration with Currents

Contact Currents support ([email protected] or via in-app chat) and provide:

  • The downloaded Federation Metadata XML file

  • List of email domains your organization uses (e.g., @example.com, @example.org)

Currents support will configure your SSO integration and notify you when it's ready.

6

hashtag
Assign Users

  1. In your Enterprise application, go to Users and groups

  2. Click Add user/group

  3. Select the users or groups who should have access to Currents

  4. Click Assign

7

hashtag
Test the Integration

Once Currents support confirms the integration is active:

  1. Navigate to https://app.currents.dev/loginarrow-up-right

  2. Enter your email address and click Continue

  3. You will be redirected to Microsoft's login page

  4. After authenticating, you should be redirected back to the Currents dashboard

If you encounter errors, see Troubleshooting SSO.

hashtag
Reference

For more details on SAML attribute configuration, see:

PreviousIdP-initiated SessionsNextJumpCloud

Last updated

Was this helpful?