Microsoft Entra ID SSO
This guide walks you through setting up SAML Single Sign-On between Microsoft Entra ID (formerly Azure Active Directory) and Probo.
Prerequisites
Section titled “Prerequisites”- Microsoft Entra ID administrator access (or Application Administrator role)
- Probo organization administrator access
- Your Probo domain (e.g.,
probo.example.com) - Access to your DNS settings for domain verification
Prepare Probo Information
Section titled “Prepare Probo Information”Before configuring Microsoft Entra ID, gather these Probo service provider details:
| Field | Value |
|---|---|
| ACS URL | https://your-probo-domain.com/api/connect/v1/saml/2.0/consume |
| Entity ID | https://your-probo-domain.com/api/connect/v1/saml/2.0/metadata |
Replace your-probo-domain.com with your actual Probo domain.
Domain Verification
Section titled “Domain Verification”Before configuring anything else, you must verify domain ownership:
- Log in to Probo as an organization administrator
- Go to Organization Settings → Authentication → SAML
- Click Verify Domain (if no configurations exist yet, this option will be available)
- Copy the provided TXT record value
- Add a TXT record to your domain’s DNS settings:
Type: TXTName: _probo-domain-verification.your-company.comValue: [Verification token from Probo]TTL: 300 (or your DNS provider's default)
- Wait for DNS propagation (usually 5-15 minutes)
- In Probo, click Complete Verification
- If successful, the domain status will show as “Verified”
Configure Microsoft Entra ID
Section titled “Configure Microsoft Entra ID”-
Sign in to the Microsoft Entra admin center
-
Go to Identity → Applications → Enterprise applications
-
Click New application → Create your own application
-
Enter
Proboas the application name -
Select Integrate any other application you don’t find in the gallery (Non-gallery)
-
Click Create
-
In the application overview, go to Single sign-on → select SAML
-
In Basic SAML Configuration, click Edit and configure:
Field Value Identifier (Entity ID) https://your-probo-domain.com/api/connect/v1/saml/2.0/metadataReply URL (Assertion Consumer Service URL) https://your-probo-domain.com/api/connect/v1/saml/2.0/consumeRelay State [SAML Configuration ID](optional - see note below)Sign on URL https://your-probo-domain.com(optional)Important: The Relay State is optional but if you want to support IdP-initiated login flows, it MUST be set to your exact SAML configuration ID (not a placeholder). If set incorrectly, SSO will not work. You’ll get this ID after creating the SAML configuration in Probo. You can initially leave this empty and update it later with the exact configuration ID.
-
Click Save
-
In Attributes & Claims, click Edit and configure the following claims:
Claim name Source attribute emailuser.mailfirstNameuser.givennamelastNameuser.surnameTo add each claim:
- Click Add new claim
- Enter the claim name (e.g.,
email) - Set Source to
Attribute - Select the corresponding Source attribute
- Click Save
Also verify that the Unique User Identifier (Name ID) is set to
user.userprincipalnameoruser.mailwith the formatEmail address. -
In SAML Certificates, download the Certificate (Base64) and copy:
- Login URL (this is the IdP SSO URL)
- Microsoft Entra Identifier (this is the IdP Entity ID)
-
Go to Users and groups
-
Click Add user/group
-
Select users or groups that should have access to Probo
-
Click Assign
Configure Probo
Section titled “Configure Probo”-
Log in to Probo as an organization administrator
-
Go to Organization Settings → Authentication → SAML
-
Click Add SAML Configuration
-
Configure the basic settings:
Field Value Notes Email Domain your-company.comYour organization’s email domain Enforcement Policy OPTIONALRecommended for initial setup -
Configure the Identity Provider settings with values from Microsoft Entra ID:
Field Value Notes IdP Entity ID [Microsoft Entra Identifier]Copy from Entra ID setup IdP SSO URL [Login URL]Copy from Entra ID setup IdP Certificate [Certificate (Base64)]Paste the downloaded certificate content -
Configure the attribute mappings:
Field Value Notes Email Attribute emailMaps to user email First Name Attribute firstNameMaps to user first name Last Name Attribute lastNameMaps to user last name Role Attribute [Leave empty]Unless you’ve configured custom claims -
Configure user settings:
Field Value Notes Auto Signup EnabledAllows new users to sign up automatically via SSO -
Click Save Configuration
-
Copy the SAML Configuration ID that appears after saving (e.g.,
saml_config_1a2b3c4d)
Update Entra ID Relay State
Section titled “Update Entra ID Relay State”Return to Microsoft Entra ID to enable IdP-initiated login:
- Go to your Probo enterprise application in the Entra admin center
- Click Single sign-on → Edit Basic SAML Configuration
- In the Relay State field, enter your SAML configuration ID
- Click Save
Troubleshooting
Section titled “Troubleshooting””AADSTS75005: The request is not a valid Saml2 protocol message” Error
Section titled “”AADSTS75005: The request is not a valid Saml2 protocol message” Error”- Cause: Incorrect Reply URL or Entity ID configuration
- Solution: Verify that the Reply URL and Entity ID in Entra ID exactly match your Probo configuration:
- Reply URL:
https://your-probo-domain.com/api/connect/v1/saml/2.0/consume - Entity ID:
https://your-probo-domain.com/api/connect/v1/saml/2.0/metadata
- Reply URL:
”AADSTS50105: User not assigned to application” Error
Section titled “”AADSTS50105: User not assigned to application” Error”- Cause: User has not been assigned to the Probo enterprise application
- Solution: Go to the enterprise application → Users and groups → assign the user or a group containing the user
”AADSTS700016: Application not found” Error
Section titled “”AADSTS700016: Application not found” Error”- Cause: Incorrect Entity ID in Probo or application not properly configured
- Solution: Verify the Microsoft Entra Identifier matches the IdP Entity ID configured in Probo
Attributes Not Mapping
Section titled “Attributes Not Mapping”- Cause: Claims not configured correctly in Entra ID
- Solution: Verify that custom claims are configured with exact names:
email,firstName,lastName. Check under Single sign-on → Attributes & Claims
”Invalid RelayState” Error
Section titled “”Invalid RelayState” Error”- Cause: Incorrect Relay State configuration
- Solution: Ensure Relay State is either empty or set to the exact SAML configuration ID from Probo
Debugging Steps
Section titled “Debugging Steps”Check Entra ID Sign-in Logs
Section titled “Check Entra ID Sign-in Logs”- Go to the Entra admin center → Identity → Monitoring & health → Sign-in logs
- Filter by the Probo application
- Click on a failed sign-in attempt to view error details and troubleshooting recommendations
Test SAML Response
Section titled “Test SAML Response”- In the Probo enterprise application, go to Single sign-on
- Click Test this application
- Review the SAML response for errors
Advanced Configuration
Section titled “Advanced Configuration”Custom Claims
Section titled “Custom Claims”To map additional Entra ID user attributes:
- In the enterprise application, go to Single sign-on → Attributes & Claims
- Click Add new claim
- Map additional directory attributes as needed
- Update the corresponding attribute mappings in Probo
Conditional Access
Section titled “Conditional Access”Control access using Microsoft Entra ID Conditional Access policies:
- Go to Identity → Protection → Conditional Access
- Create a new policy targeting the Probo application
- Configure conditions (location, device, risk level, etc.)
- Set appropriate access controls (grant, block, require MFA)
Group-Based Access
Section titled “Group-Based Access”Restrict access using Entra ID groups:
- In the enterprise application, go to Users and groups
- Assign groups instead of individual users
- Manage access by adding/removing users from the assigned groups
For detailed troubleshooting and advanced configuration options, see the SSO Overview guide.