> For the complete documentation index, see [llms.txt](https://olddocs.exivity.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://olddocs.exivity.io/2.3.1/diving-deeper/integrate/sso/azure-ad.md).

# Azure-AD

Setting up Azure Active Directory is pretty straight-forward, but it helps to know the exact steps to follow, as configuraing SAML can be a bit daunting.

To add Exivity to your Azure AD applications, follow these steps:

* In your Azure portal, go to the Azure Active Directory service:

![azure-portal-aad](/files/-LHF0U2FnVfSqCvCQUGR)

* In the sidebar, click *Enterprise applications*:

![azure-ad-enterprise-applications](/files/-LHF0U2HcMgeTducX6Rr)

* Click the *New application* button:

![azure-ad-new-application](/files/-LHF0U2JfWa4Z-rDzGjZ)

* Click the *Non-gallery application* button:

![azure-ad-non-gallery-app](/files/-LHF0U2LU26A8xnGiR6s)

* Enter a name for the new application (i.e. *My Exivity instance*) and click the *Add* button.
* Click the *Configure single sign-on (required)* button:

![azure-ad-configure-sso](/files/-LHF0U2NzpjgJZCkjeuZ)

* From the *Single Sign-On Mode* dropdown list, select *SAML-based Sign-on*:

![azure-ad-sso-mode](/files/-LHF0U2Puef-cvlSESj6)

* Now enter the following details on this page:

| Azure AD setting           | Use value                                                                                                      |
| -------------------------- | -------------------------------------------------------------------------------------------------------------- |
| Identifier                 | Exivity *Entity ID / Metadata URL* endpoint (see [endpoints](broken://pages/-LHF0KQuzh6nNG_JRsko#endpoints))   |
| Reply URL                  | Exivity *Assertion Consumer Service* endpoint (see [endpoints](broken://pages/-LHF0KQuzh6nNG_JRsko#endpoints)) |
| Show advanced URL settings | Checked                                                                                                        |
| Sign on URL                | Optional, you can enter the URL for the Exivity interface here.                                                |
| Relay State                | Leave empty                                                                                                    |
| User Identifier            | Select *user.mail*                                                                                             |

The resulting page could look something like this:

![azure-ad-sso-config](/files/-LHF0U2RJmd00dKqPk_0)

* Click the *Configure \[your application name]* button:

![azure-ad-configure-instance](/files/-LHF0U2T34Bc1cix5OOT)

* A new pane will open with instructions. Navigate to the Exivity SAML configuration (see [configuration](broken://pages/-LHF0KQuzh6nNG_JRsko#configuration)) and copy the following options from the pane in your Azure portal:

![azure-ad-instance-config](/files/-LHF0U2Vlw0iu2Zptpf9)

| Exivity SAML setting | Use value                                                                                                                                                                                                                                                                                     |
| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Entity ID            | *SAML Entity ID*                                                                                                                                                                                                                                                                              |
| SSO URL              | *SAML Single Sign-On Service URL*                                                                                                                                                                                                                                                             |
| SLO URL              | *Sign-Out URL*                                                                                                                                                                                                                                                                                |
| X-509 certificate    | Download the certificate by clicking the *SAML Signing Certificate - Base64 encoded* link. Open the `.cer` file with a text editor and remove the text `-----BEGIN CERTIFICATE-----`, `-----END CERTIFICATE-----` and all line breaks so you end up with a single-line base64 encoded string. |

The Exivity configuration page could look something like this:

![azure-ad-exivity-saml-settings](/files/-LHF0U2X2QfhtneEcNaJ)

* In Exivity, click the *Update* button.
* In your Azure Portal, click the *Save* button:

![azure-ad-sso-config-save](/files/-LHF0U2Zn7CT3E-9dSKi)

* As the last step, enable Single Sign-On in Exivity by navigating to *Administration* > *Configuration* and then clicking on the *System* tab. Make sure the *Single Sign-On* option is set to *Enabled*, and click the *Update* button:

![azure-ad-exivity-configuration](/files/-LHF0U2a-1m4rWCtNzX6)

SSO is now configured and enabled, and you can now use Azure AD to login to your Exivity instance. The login screen will look something like this:

![exivity-login-sso](/files/-LHF0U2cVXgVSEJprLbl)

And by clicking on the *Login* button, you'll be taken to the Azure AD login screen. Exivity will receive the Azure AD e-mail address and create a new user with a minimal set of permissions if no existing user is found.
