Configure Single Sign-on (SSO) with Entra ID
Joel Bradley avatar
Written by Joel Bradley
Updated this week

Admin privileges required

Applies to: Basic, Business

Enterprise users can access their documentation here. Find your plan.


Overview

You can configure your Stack Overflow for Teams site to use Entra ID SAML 2.0 for single sign-on (SSO) authentication. Follow the steps below to configure SAML 2.0 authentication with Entra ID Enterprise.

NOTE: Before October 2023, Entra ID was called Azure Active Directory (Azure AD).

Configuring SSO with Entra ID requires multiple steps in both Entra ID and Stack Overflow for Teams. We recommend having both sites open in separate browser tabs or windows.

Create a new Entra ID application

To configure Entra ID authentication, log into your Microsoft Entra ID account. From your Entra ID portal, go to Entra ID and click Enterprise applications in the left-hand menu. If you can't find the Entra ID menu, look into More Services and search for "Entra ID".

  1. Click + New application at the top of the screen. The Entra ID Gallery will appear.

  2. Click Create your own application at the top of the screen.

  3. Enter a name for your app, such as "Stack Overflow for Teams".

  4. Select Integrate any other application... (Non-gallery).

  5. Click Create.

Configure SAML 2.0 URLs

With a new Entra ID application created, you'll now set up single sign-on (SAML 2.0).

  1. Click Single sign-on in the left-hand menu.

  2. Select SAML.

  3. In the Basic SAML Configuration box, click Edit.

  4. Add the following URLs:

Identifier (Entity ID)

Must be unique per application. We recommend you set this field to "StackOverflowTeams". Later, you'll enter this value into your Stack Overflow Teams auth settings as Issuer and Audience Restriction. Be sure the Entity ID checkbox for Default is checked.

Reply URL

You'll copy this value from your Stack Overflow for Teams authentication settings.

  1. On your Stack Overflow for Teams site, click Admin settings in the left-hand menu.

  2. Click Authentication under the "ACCESS MANAGEMENT" heading.

  3. Select Single sign-in (SSO).

  4. Select and copy the Assertion Consumer Service URL value.

  5. In Entra ID, paste the Assertion Consumer Service URL value into the Reply URL (Assertion Consumer Service URL) field.

  6. Leave the rest of the optional fields blank and click Save.

Configure Attributes

When you create a new application, Entra ID will include the emailaddress (user.mail) claim.

Optional claims

You can also add the following optional claims:

  • Job Title

  • Department

When configured and included in the SAML response, Stack Overflow for Teams automatically updates these user data fields on login.

To configure additional claims, go to the Attributes & Claims box. Click Edit, then Add new claim.

To have Stack Overflow for Teams automatically update user department and job title info on login, add the following claims.

Claim Name

Source Attribute

department

user.department

jobtitle

user.jobtitle

For example, here are the Manage claim settings for the optional department claim:

After you create the new claims, you'll enter the claim names into the Stack Overflow for Teams authentication settings as follows:

Download SAML certificate and copy the login URL

  1. In Entra ID, download the Certificate (Base64) and save it on your computer. You'll use this later when setting up the Stack Overflow for Teams authentication settings.

  2. Copy the Login URL from Entra ID setup step 4. You'll paste this as the Single Sign-On Service URL value in your Stack Overflow for Teams authentication settings.

Set up users and/or groups

In Entra ID, you'll need to add users and/or groups. To do this, click Users and groups in the left-hand menu, then Add user/group.

Identify and add the users and/or user groups that should have login privileges to your Stack Overflow for Teams site.

NOTE: Only those users you identify in Entra ID will be able to log in to your Stack Overflow for Teams site with SSO.

Finalize authentication settings on Stack Overflow for Teams

At this point, you may have already transferred some values between your new Entra ID application and your Stack Overflow for Teams authentication settings. Now you'll finalize all settings in Stack Overflow for Teams.

  1. At Admin settings -> Authentication, fill in the following values from Entra ID.

    Single Sign-On Service Url
    Enter the Login URL of your Entra ID application.

    Single Sign-On Service Protocol Binding
    Do not change (leave as POST).

    Issuer and Audience Restriction
    Enter the Entity ID Identifier you specified above.

    Display Name Assertion
    The default Entra ID given name assertion is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname. You can confirm this value on your Entra ID attributes list.

    Email Address Assertion The default Entra ID email assertion is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. You can confirm this value on your Entra ID attributes list.

    Below is an example of typical Entra ID SSO authentication settings in Stack Overflow for Teams.

  2. Scroll down the page to the Identity Provider Certificates box.

  3. Open the certificate file you downloaded from your Entra ID app in a text editor.

  4. Copy and paste the contents of that file into the Identity Provider Certificates box. Be sure to include "-----BEGIN CERTIFICATE-----", the certificate itself, and "-----END CERTIFICATE-----".

  5. Click Validate certificate to make sure the certificate is valid.

  6. Click Authenticate and enable SSO. This will test your authentication settings and enable SSO if the connection is successful.

Automate the renewal of certificates (optional)

You can set up a Federation Metadata URL to automate the renewal of the Identity Provider Certificates. If you don't use the automation, an admin will have to update the certificate every year or users will be unable to access the Team.

To set up automatic certificate renewal:

  1. Copy the Federation Metadata URL from the Entra ID SAML Certificates page.

  2. In your Stack Overflow for Teams authentication settings, check the Automatically update certificates periodically checkbox.

  3. Paste the Federation Metadata URL from Entra ID into the field that appears.

  4. Click Save.

Choose a different user identifier assertion (optional)

By default, your site will use the Subject/NameID assertion from Entra ID as the user identifier. We recommend this as the simplest approach, but it may not work for your configuration.

If you check the Don't use Subject/NameID as User Identifier checkbox, you can specify a different user identifier assertion. If you choose a different user identifier, make sure it's an unchanging, unique identifier that remains consistent across logins.


Need help? Submit an issue or question through our support portal.

Did this answer your question?