Tags | Authentication | SSO | SAML | Azure AD | Entra ID |
ADMIN PRIVILEGES REQUIRED
Enterprise users can access their documentation here. Find your plan.
Overview
These instructions describe how to integrate your Stack Overflow for Teams site with Microsoft's Entra ID as your Identity Provider (IdP) for authentication. Once configured, your users will be able to use Entra ID and the Security Assertion Markup Language (SAML) for Single Sign-on (SSO) authentication into your site. You can learn more about SAML in our SAML Authentication Overview document.
To configure Entra ID authentication, you'll need to first log into your Microsoft Entra ID account. From your Entra ID portal, go to Entra ID and click Enterprise applications in the left-hand menu.
NOTE: If you can't find the Entra ID button under the "Azure services" heading, click More services and search for "Entra ID".
Configuring SSO with Entra ID requires multiple steps in both Entra ID and Stack Overflow for Teams. We recommend having both sites open in separate browser tabs or windows.
THIS ARTICLE APPLIES TO STACK OVERFLOW FOR TEAMS BASIC AND BUSINESS ONLY.
Stack Overflow for Teams Enterprise users should read this article instead. Find your plan.
Create a new Entra ID application
To configure Entra ID authentication, log into your Microsoft Entra ID account. From your Entra ID portal, go to Entra ID and click Enterprise applications in the left-hand menu. If you can't find the Entra ID menu, look into More Services and search for "Entra ID".
Click + New application at the top of the screen. The Entra ID Gallery will appear.
Click Create your own application at the top of the screen.
Enter a name for your app, such as "Stack Overflow for Teams".
Select Integrate any other application... (Non-gallery).
Click Create.
Configure SAML 2.0 URLs
With a new Entra ID application created, you'll now set up single sign-on (SAML 2.0).
Click Single sign-on in the left-hand menu.
Select SAML.
In the Basic SAML Configuration box, click Edit.
Add the following URLs:
Identifier (Entity ID)
Must be unique per application. We recommend you set this field to "StackOverflowTeams". Later, you'll enter this value into your Stack Overflow Teams auth settings as Issuer and Audience Restriction. Be sure the Entity ID checkbox for Default is checked.
Reply URL
You'll copy this value from your Stack Overflow for Teams authentication settings.
On your Stack Overflow for Teams site, click Admin settings in the left-hand menu.
Click Authentication under the "ACCESS MANAGEMENT" heading.
Select Single sign-in (SSO).
Select and copy the Assertion Consumer Service URL value.
In Entra ID, paste the Assertion Consumer Service URL value into the Reply URL (Assertion Consumer Service URL) field.
Leave the rest of the optional fields blank and click Save.
Configure Attributes
When you create a new application, Entra ID will include the emailaddress (user.mail) claim.
Optional claims
You can also add the following optional claims:
Job Title
Department
When configured and included in the SAML response, Stack Overflow for Teams automatically updates these user data fields on login.
To configure additional claims, go to the Attributes & Claims box. Click Edit, then Add new claim.
To have Stack Overflow for Teams automatically update user department and job title info on login, add the following claims.
Claim Name | Source Attribute |
department | user.department |
jobtitle | user.jobtitle |
For example, here are the Manage claim settings for the optional department claim:
After you create the new claims, you'll enter the claim names into the Stack Overflow for Teams authentication settings as follows:
Download SAML certificate and copy the login URL
In Entra ID, download the Certificate (Base64) and save it on your computer. You'll use this later when setting up the Stack Overflow for Teams authentication settings.
Copy the Login URL from Entra ID setup step 4. You'll paste this as the Single Sign-On Service URL value in your Stack Overflow for Teams authentication settings.
Set up users and/or groups
In Entra ID, you'll need to add users and/or groups. To do this, click Users and groups in the left-hand menu, then Add user/group.
Identify and add the users and/or user groups that should have login privileges to your Stack Overflow for Teams site.
NOTE: Only those users you identify in Entra ID will be able to log in to your Stack Overflow for Teams site with SSO.
Finalize authentication settings on Stack Overflow for Teams
At this point, you may have already transferred some values between your new Entra ID application and your Stack Overflow for Teams authentication settings. Now you'll finalize all settings in Stack Overflow for Teams.
At Admin settings -> Authentication, fill in the following values from Entra ID.
Single Sign-On Service Url
Enter the Login URL of your Entra ID application.Single Sign-On Service Protocol Binding
Do not change (leave as POST).Issuer and Audience Restriction
Enter the Entity ID Identifier you specified above.Display Name Assertion
The default Entra ID given name assertion is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname. You can confirm this value on your Entra ID attributes list.Email Address Assertion The default Entra ID email assertion is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. You can confirm this value on your Entra ID attributes list.
Below is an example of typical Entra ID SSO authentication settings in Stack Overflow for Teams.
Scroll down the page to the Identity Provider Certificates box.
Open the certificate file you downloaded from your Entra ID app in a text editor.
Copy and paste the contents of that file into the Identity Provider Certificates box. Be sure to include "-----BEGIN CERTIFICATE-----", the certificate itself, and "-----END CERTIFICATE-----".
Click Validate certificate to make sure the certificate is valid.
Click Authenticate and enable SSO. This will test your authentication settings and enable SSO if the connection is successful.
Automate the renewal of certificates (optional)
You can set up a Federation Metadata URL to automate the renewal of the Identity Provider Certificates. If you don't use the automation, an admin will have to update the certificate every year or users will be unable to access the Team.
To set up automatic certificate renewal:
Copy the Federation Metadata URL from the Entra ID SAML Certificates page.
In your Stack Overflow for Teams authentication settings, check the Automatically update certificates periodically checkbox.
Paste the Federation Metadata URL from Entra ID into the field that appears.
Click Save.
Choose a different user identifier assertion (optional)
By default, your site will use the Subject/NameID assertion from Entra ID as the user identifier. We recommend this as the simplest approach, but it may not work for your configuration.
If you check the Don't use Subject/NameID as User Identifier checkbox, you can specify a different user identifier assertion. If you choose a different user identifier, make sure it's an unchanging, unique identifier that remains consistent across logins.
Need help? Submit an issue or question through our support portal.