Configuring SAML with Microsoft Entra ID

1. Add an unlisted (non-gallery) application to your Microsoft Entra ID organization

1. In Microsoft Entra ID, create an unlisted (non-gallery) application following the official documentation.
2. Once the application is created, follow these instructions to enable SAML SSO. Use these configuration values (replacing "sourcegraph.example.com" with your Sourcegraph instance URL):

• Identifier (Entity ID): https://sourcegraph.example.com/.auth/saml/metadata
• Reply URL (Assertion Consumer Service URL): https://sourcegraph.example.com/.auth/saml/acs
• Sign-on URL, Relay State, and Logout URL can be left empty.
• User Attributes & Claims: Add the following attributes.
  • emailaddress: user.mail (required)
  • name: user.userprincipalname (optional)
  • login: user.userprincipalname (optional)
• Name ID: email
• You can leave the other configuration values set to their defaults.

1. Record the value of the "App Federation Metadata Url". You'll need this in the next section.

2. Add the SAML auth provider to Sourcegraph site config

Add a SAML auth provider with identityProviderMetadataURL set to the "App Federation Metadata Url" you recorded in the previous section. Here is an example of what your site configuration should look like:

JSON
{
 // ...
 "externalURL": "https://sourcegraph.example.com",
 "auth.providers": [
   {
     "type": "saml",
     "configID": "azure",
     "identityProviderMetadataURL": "https://login.microsoftonline.com/7d2a00ed-73e8-4920-bbfa-ef68effe2d1e/federationmetadata/2007-06/federationmetadata.xml?appid=eff20ae4-145b-4bd3-ff3f-21edab43fe99"
   }
 ]
}

NOTE: Optional, but recommended: add automatic provisioning of users with SCIM.