How to configure Single-Sign-On between Mosaic and Azure / Entra ID

Last updated: April 28, 2026

In this article you will find the necessary steps to configure a connection between Azure and Mosaic's authentication platform to establish a Single-Sign-On experience for your enterprise users using Mosaic.

If at any time there are questions or issues with the connection, please reach out to support@mosaic.pe for assistance.

 

Azure Configuration

  1. Navigate to your Azure Admin Portal > Enterprise Applications and choose New Application, then Create your own application

  2. Enter "Mosaic" as the name of the app, and choose a Non-gallery application

  3. Within the "Set up single sign on" section, choose SAML

  4. Within the Set up Single Sign-On with SAML, edit the Basic SAML Configuration.

  5. Add an identifier under the Identifier (Entity ID) section as: 

    urn:amazon:cognito:sp:us-east-1_snwpaAR4h

  6. Add a Reply URL as:

    https://auth.mosaic.pe/saml2/idpresponse




  7. Press Save to exit the Basic SAML Configuration area

  8. Ensure that the givenname, surname, and emailaddress attributes are set in the Attributes & Claims section.

    Example Attributes and Claims


  9. Copy the App Federation Metadata Url value from the SAML Certificates section, and email to support@mosaic.pe

    Metadata URL Example



  10. In the Users & Groups section, assign access to Mosaic to the users within your organization.

    Azure Users and Grouips


  11. Please email support@mosaic.pe with the metadata from Step 9, as well as a list of all possible domains that might be authenticating via your Azure instance.  For example: yourdomain.com, yourdomain.net, etc.  Once we complete the integration, we will advise once it is ready to test.

 

SSO User Provisioning

Mosaic supports user provisioning to enable Entra ID to automatically create and disable user accounts within Mosaic depending on their application access.  We recommend following the additional steps to enable this functionality.  Note this can only be completed once SSO has been successfully established for your organization.

1. Obtain your Provisioning Token

  1. Login to Mosaic as a user with admin permissions.

  2. Navigate to your organization admin page by clicking on your account name in the top right corner, and selecting "Admin"

  3. Navigate to the "Integrations" page using the left sidebar

  4. Find the SCIM User Provisioning integration, and click "Install", and then "Generate Token".

  5. Copy the Base URL and API Token
    Note: The token is only visible once and is valid for 365 days.  Creating a new token will invalidate the previously used token.

2. Setup Provisioning in Entra

  1. Navigate to the Mosaic Enterprise Application

  2. Navigate to Manage > Provisioning on the left sidebar

  3. Click "New configuration" on the top bar

    Screenshot 2024-11-27 at 12.46.02 PM.png

  4. Paste the URL and token copied from the previous section into the tenant details and click Test Connection.

    Screenshot 2024-11-27 at 12.47.30 PM.png

  5. Under the "Mappings" section, select "Provision Microsoft Entra ID Groups".  Under the Enabled section, select "No", then click "Save".
    Mosaic provisioning only supports provisioning of Users.  Attempting to provision Groups will cause provisioning to fail.

  6. Complete the setup by clicking the "Create" button at the bottom of the screen.

Provisioning is now complete.  If you experience any difficulty in setting up provisioning or any errors caused by provisioning requests, please email us at support@mosaic.pe for further assistance. 

 

Related to