# Azure AD / Entra ID
{% hint style="info" %}
Enabling SSO will affect all users of your organization, users would not be able to sign in to Currents using a different authorization method when SSO is enabled.
{% endhint %}
### Supported Features
* SP-initiated SSO (Single Sign-On)
* Just-In-Time provisioning
### Setup Steps
{% stepper %}
{% step %}
**Create Enterprise Application**
1. Sign in to the [Azure Portal](https://portal.azure.com)
2. Navigate to **Microsoft Entra ID** (formerly Azure Active Directory)
3. Go to **Enterprise applications** > **New application**
4. Click **Create your own application**
5. Enter a name (e.g., "Currents") and select **Integrate any other application you don't find in the gallery (Non-gallery)**
6. Click **Create**
{% endstep %}
{% step %}
**Configure SAML Single Sign-On**
1. In your new application, go to **Single sign-on** in the left menu
2. Select **SAML** as the single sign-on method
3. In the **Basic SAML Configuration** section, click **Edit** and set:
| Setting | Value |
| ---------------------- | --------------------------------------------- |
| Identifier (Entity ID) | `urn:amazon:cognito:sp:us-east-1_Z9TVEnj0k` |
| Reply URL (ACS URL) | `https://auth.currents.dev/saml2/idpresponse` |
4. Click **Save**
{% endstep %}
{% step %}
**Configure User Attributes and Claims**
{% hint style="warning" %}
You **must** configure claim transformations as described below to ensure correct operation.
Azure AD may send email addresses with mixed-case characters which is not supported by Currents Authentication provider.
Currents requires Unique User Identifier (Name ID) `NameID` to be the user's email address in lowercase.
{% endhint %}
**Unique User Identifier (Name ID)**
Configure Entra to send the user's lowercase email as `NameID` attribute.
1. In the **Attributes & Claims** section, click **Edit**
2. Open the **Unique User Identifier (Name ID)** claim
1. claim name `nameidentifier`;
2. namespace `http://schemas.xmlsoap.org/ws/2005/05/identity/claims`
3. Under **Choose name identifier format**, set **Name identifier format** to **Persistent**.
4. Under **Source**, select **Transformation** (not Attribute).
5. Set **Transformation** to **ToLowercase** with input **`user.mail`** — the portal displays this as **ToLowercase (user.mail)**.
6. Click **Save**
**Additional claims**
Under **Attributes & Claims**, in **Additional claims**, click **Add new claim** for each row below. Use **SAML** as the claim type where the portal asks for it.
| Claim Name | Value |
| -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | Transformation **ToLowercase** with source `user.mail` (shown as `ToLowercase (user.mail)`). |
| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` | `user.displayname` |
| | |
{% hint style="info" %}
Use the **ToLowercase** transformation for email values so mixed-case addresses from Azure AD match Currents accounts.
{% endhint %}
Microsoft Entra Attributes Mapping Example
{% endstep %}
{% step %}
**Download Federation Metadata**
1. In the **SAML Certificates** section, locate **Federation Metadata XML**
2. Click **Download** to save the metadata file
3. Open the downloaded XML file and verify it contains both `HTTP-POST` and `HTTP-Redirect` bindings:
```xml
```
{% endstep %}
{% step %}
**Share Configuration with Currents**
Contact Currents support ( or via in-app chat) and provide:
* The downloaded Federation Metadata XML file
* List of email domains your organization uses (e.g., `@example.com`, `@example.org`)
Currents support will configure your SSO integration and notify you when it's ready.
{% endstep %}
{% step %}
**Assign Users**
1. In your Enterprise application, go to **Users and groups**
2. Click **Add user/group**
3. Select the users or groups who should have access to Currents
4. Click **Assign**
{% endstep %}
{% step %}
**Test the Integration**
Once Currents support confirms the integration is active:
1. Navigate to
2. Enter your email address and click **Continue**
3. You will be redirected to Microsoft's login page
4. After authenticating, you should be redirected back to the Currents dashboard
If you encounter errors, see [Troubleshooting SSO](/dashboard/administration/sso-saml2.0/troubleshooting-sso.md).
{% endstep %}
{% endstepper %}
### Reference
For more details on SAML attribute configuration, see:
* [SAML2.0 Configuration](/dashboard/administration/sso-saml2.0/saml2.0-configuration.md) — full SAML configuration reference
* [Microsoft Entra SAML Claims Customization](https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization) — official Microsoft documentation on claim transformations
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.currents.dev/dashboard/administration/sso-saml2.0/azure-ad.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.