# Configuring Microsoft Entra ID SAML 2 0 for SSO

You’ll need to configure settings in Microsoft Entra ID (formerly Azure AD) to finalize the setup for Identity Federation.

1. Open Microsoft Entra ID.
2. Navigate to **Enterprise applications - All Applications.**
3. **Select** New application.


![](/assets/image-20200420-220635.dc46cc64b3f427a8cdbce5f8086b712423e5dae7c217c65a4fa85d81111876b5.f0cddcd7.png)

1. **Select Add from the gallery>** Microsoft Entra ID SAML Toolkit.


![](/assets/configuring-azure-ad-saml-2-0-for-identity-federation-2024-02-11.753b97922b579691c9c294f22438d07f1804c3ec89748a846a1cd7959bdf0e92.f0cddcd7.png)

1. Type the name you want for the application.


![](/assets/configuring-azure-ad-saml-2-0-for-identity-federation-2024-02-11-1.a81d24f05e5828c569a315c7b01e842911ad03d0437b0691dfaa214fbe8b233b.f0cddcd7.png)

1. Navigate to Visit Enterprise Applications.
2. **Select** `<your_app>`.


![](/assets/configuring-azure-ad-saml-2-0-for-identity-federation-2024-02-11-2.8fa506e534905ed6dad901561cc159d3d3cc5182ca4a13c1034578924068deff.f0cddcd7.png)

1. Select Manage > Single sign-on.
2. Select SAML.
3. On the**Set up single sign-on with SAML** page, edit the **Basic SAML Configuration.**


![](/assets/configuring-azure-ad-saml-2-0-for-identity-federation-2024-02-11-3.2b77126bd4bc8486f1c8e0452a5ddd80231817fc84200291b494d89f106b91af.f0cddcd7.png)

1. Change the following fields in the **Basic SAML Configuration.**


- **Identifier (Entity ID)**: Examples:
  - `urn:treasuredata:sso:aws:<your_account_name>`
  - `urn:treasuredata:sso:aws-tokyo:<your_account_name>`
  - `urn:treasuredata:sso:eu01:<your_account_name>`
- **Reply URL**: [https://sso.treasuredata.com/login/callback](https://sso.treasuredata.com/login/callback)
- **Sign-on URL**:
  - US: `https://console.us01.treasuredata.com/users/initiate_sso?account_name=<your_account_name>`
  - JP: `https://console.treasuredata.co.jp/users/initiate_sso?account_name=<account_name>`
  - Europe: `https://console.eu01.treasuredata.com/users/initiate_sso?account_name=<account_name>`
  1. **Locate the Entity ID in the TD Console** under**Administration > Sign In Settings > Identity Federation.
  2. Go back to the Azure console. Go to Attributes & Claims** section. Choose the value you want to use for the **Unique User Identifier.** If `user.mail` is indicated, you can set up the TD user with their email. If the value is `[user.name](<http://user.name>)`, set the field with the user name.
  3. Select **Save**.
  4. Navigate to **Enterprise applications - All Applications.**
  5. **Select the desired application**.
  6. Select**Users and groups > Add user.**
![](/assets/configuring-azure-ad-saml-2-0-for-identity-federation-2024-02-09.34557ea8ff55cdcf96793b48ab7a547166dae1953a4cd0c40df36fd02537756c.f0cddcd7.png)
  7. Add users and assign roles.
  8. After users are assigned, navigate to **Single sign-on**.
![](/assets/configuring-azure-ad-saml-2-0-for-identity-federation-2024-02-09-1.3afadde3dfd449281c1d0ba63c3a598464074d8e184ed6559bf223a9d71a21c0.f0cddcd7.png)
  9. Gather the following items from the **Single sign-on** page to complete your configuration from within the TD Console. Ensure you are checking the configuration for the correct Entity ID.


![](/assets/image-20200304-233834.06571782b0e63522fbfdc86e3431ba0d1e01d15ac1b4f48d8b3f8d74da5a1d45.f0cddcd7.png)

# FAQs

## Why can't I authenticate from Auth0?

If you receive the following error, "Could not authenticate you from Auth0 because "Recipient is invalid. configured: https://sso.treasuredata.com/login/callback".

Review the URL of your identity server. It is possible that it is set to the incorrect URL.