Configure Single Sign-On between Microsoft Entra ID (formerly Azure AD) and Atomicwork using SAML 2.0. Once complete, your users sign in to Atomicwork with their existing Microsoft credentials.
Why use Microsoft Entra ID SAML SSO
Enabling Microsoft Entra ID SAML SSO offers:
Single sign-on: Users log in with their Microsoft Entra ID credentials, removing the need for a separate Atomicwork password.
Both IdP-initiated and SP-initiated SSO: Users can sign in from the Microsoft My Apps portal or directly from the Atomicwork login page.
Improved security: Authentication is handled by Entra ID, so passwords stay inside Microsoft — Atomicwork never sees or stores them.
Simplified user management: Onboarding and offboarding employees is as easy as updating access in your Entra directory.
Conditional Access support: Extend your existing Conditional Access policies (MFA, device compliance, sign-in risk) to Atomicwork by scoping an access policy to the created Atomicwork Enterprise Application.
Prerequisites
To set up Microsoft Entra ID SAML SSO in Atomicwork, you need:
A Microsoft Entra ID tenant with Global Administrator or Cloud Application Administrator rights.
Organization admin access on Atomicwork
Note: In your Atomicwork tenant, navigate to Settings > Security (under Organization) and click on Enable next to Microsoft Entra ID SSO (SAML). Keep this page open in another browser tab before you start. Atomicwork pre-populates the Identifier and Reply URLs for you, which you will copy into Azure.
How the values flow
Atomicwork → Azure
Copy the following values from the Microsoft Entra ID SSO (SAML) page under Security into Azure:
Identifier
Default Reply URL (the one ending in
/clients/saml-client)Additional Reply URL for SP-initiated SSO
Azure → Atomicwork
Copy the App Federation Metadata URL from Azure and paste it into Atomicwork.
Set up Microsoft Entra ID SAML SSO
Step 1: Create a new Enterprise Application in Azure
Sign in to the Azure portal at portal.azure.com and navigate to Microsoft Entra ID.
From the left navigation, click on Enterprise applications > All applications.
In the top action bar, click on + New application.
On the Browse Microsoft Entra App Gallery page, click on + Create your own application.
Note: Atomicwork is not in the Entra app gallery, so you'll register it as a non-gallery application.
Step 2: Name your application and select Non-gallery
In the Create your own application panel, enter a recognizable display name and choose the integration type.
Name your app — we'd recommend "Atomicwork SAML SSO". You can append your environment (for example "Atomicwork SAML SSO – Production") if you maintain multiple Atomicwork tenants.
Choose Integrate any other application you don't find in the gallery (Non-gallery).
Click Create. Azure will provision the application and you'll land on the application's overview page.
Step 3: Enable SAML as the single sign-on method
On the application's overview page, click on Manage > Single sign-on from the left navigation.
Select the SAML tile from the dispayed sign-on methods.
Step 4: Fill in the Basic SAML Configuration
Azure will open the Set up Single Sign-On with SAML page.
In section 1 (Basic SAML Configuration), click on Edit and provide the three Atomicwork endpoints listed below.
Note: Azure expects two Reply URLs — one marked as Default (used for IdP-initiated SSO) and an additional one (used for SP-initiated SSO). Both are available from Atomicwork.
Azure field | What to paste |
Identifier (Entity ID) | Paste the Identifier (Entity ID) from Atomicwork — |
Reply URL (ACS) — Default | Paste the Reply URL (ACS) — set as Default in Azure from Atomicwork — |
Reply URL — additional | Click + Add reply URL in Azure and paste the Reply URL — additional value from Atomicwork — |
Sign on URL | Leave blank. |
Relay State | Leave blank. |
Logout URL | Leave blank. |
Important: Make sure the Default checkbox is enabled on the row that ends with /clients/saml-client. The second Reply URL (without /clients/saml-client) is what enables SP-initiated SSO — both are required.
3. Click on Save once all fields have been populated.
Step 5: Verify the Attributes & Claims
Azure pre-populates a set of default claims that Atomicwork can consume as-is. Open section 2 (Attributes & Claims) and confirm the mapping below.
Claim | Source attribute |
givenname |
|
surname |
|
emailaddress |
|
name |
|
Unique User Identifier |
|
Customization: If your organization stores user email in user.mail, leave emailaddress mapped to user.mail. If you publish primary email only via user.userprincipalname, remap accordingly. The default mapping works for the majority of Microsoft 365 tenants.
Step 6: Copy the SAML signing details
Scroll to section 3 (SAML Certificates). Azure auto-generates a token signing certificate the moment the application is created.
Locate App Federation Metadata Url. Click the copy icon to put the URL on your clipboard.
Optionally, download Certificate (Base64) as a backup.
Why the metadata URL? The federation metadata URL is a live, signed XML document that contains Azure's issuer identifier, sign-in endpoints, and the public signing key. Pointing Atomicwork at the URL — rather than uploading a static certificate — means key rotations performed by Azure are picked up automatically without service interruption.
Step 7: Paste the metadata URL into Atomicwork
Navigate to your Atomicwork tenant and go to Settings > Security (under Organization) > Microsoft Entra ID SSO (SAML).
Paste the App Federation Metadata URL from the previous step here.
Click Test to verify the configuration.
Click Connect to activate SSO for your organization. The status indicator at the top of the panel will change to Connected once setup is complete.
Always Test first before you Connect. The Test button performs a non-disruptive authentication round-trip and reports any misconfiguration before SSO is enforced organization-wide. Only click Connect once the test passes.
Step 8: Assign users and validate
In Azure, return to the application's overview page and open Users and groups from the left navigation.
Click + Add user/group and assign the Microsoft Entra users or groups who should have access to Atomicwork.
Navigate to your Atomicwork tenant in an incognito browser tab.
Click Continue with SSO (or equivalent) and enter your work email. You should be redirected to the Microsoft sign-in page, authenticate, and land back inside Atomicwork.
Optional — Conditional Access: If your organization uses Conditional Access policies, you can extend the same policies (MFA, device compliance, sign-in risk) to Atomicwork by scoping a policy to this Enterprise Application. No additional configuration is required on the Atomicwork side.
Troubleshooting
Symptom | Cause | Resolution |
AADSTS50105 — User is not assigned to a role | The user (or a group containing them) hasn't been assigned to the Enterprise Application. | Open the application in Azure > Users and groups and assign the affected user. If user assignment is not required for your tenant, you can disable the requirement in Properties > Assignment required = No. |
Atomicwork shows "Invalid signature" after Azure sign-in | The metadata URL was copied while a certificate rotation was in flight, or only a partial URL was pasted. | Re-copy the App Federation Metadata URL from Azure and paste it again in Atomicwork. |
Loop back to the sign-in page | A mismatched ACS URL — usually a trailing space or wrong suffix on the Reply URL in Basic SAML Configuration. | Verify that the Reply URL in Basic SAML Configuration ends exactly with |
Email or name is missing in the user profile | The | Open Attributes & Claims in Azure and remap |
Need help?
If you get stuck, contact Atomicwork Support and include the Application ID of the Enterprise Application you created, plus a screenshot of the Atomicwork Security settings page.