# Integrated authentication with Microsoft Entra ID {% hint style="info" %} Microsoft Entra ID is the former **Azure Active Directory**. {% endhint %} ## Creating the application To create an application in Microsoft Entra ID, follow the steps below: 1. Access **Microsoft Entra ID**. 2. Click **Enterprise Applications**. 3. Click **New Application** at the top of the menu. 4. Search for the **Azure AD SAML Toolkit** plugin at the search bar. This application will be created with the SAML protocol authentication feature, which will be configured in the next steps. 5. Name the application and click **Create**. 6. Click **Single sign-on** in the menu on the left and select the **SAML** method.​ 7. Configure the application settings as explained below. ## Configuring the application​ ### Step 1: Obtain the Federation Metadata XML First you must obtain the **Federation Metadata XML** from your application setup. This XML file contains the application's confidential information required to configure it within your realm on Digibee, enabling seamless integrated authentication. To obtain the file, follow these steps: 1. Scroll to the **Basic SAML Configuration** section. * The **Download** button for the **Federation Metadata XML** is disabled by default. In this section, you must provide mandatory fields to enable the download. 2. Input temporary **placeholder URLs**. * Since the required information (**Identifier**, **Reply URL**, and **Sign-on URL**) is not provided by Digibee until after the **Federation Metadata XML** has been received, you must temporarily fill these fields with **placeholder URLs**, for example, ****.
3. Enter values for all three fields. * Once you enter temporary placeholders for the **Identifier**, **Reply URL**, and **Sign-on URL** fields, the **Download** button for the **Federation Metadata XML** will become active.
4. Download the XML File. * Click **Download** to save the **Federation Metadata XML** file. ### Step 2: Finalize the application configuration in Microsoft Entra ID 1. Send the XML file to Digibee via Suport. After that, you will receive the **Identifier** (also called **Issuer**), **Reply URL** (also called **Callback URL**), **Sign-on URL**, and **Metadata URL** info. 2. Digibee will provide a Metadata URL containing XML content. Save the XML content to a file with an `.xml` extension. 3. Go back to the **Basic SAML Configuration** section and replace the placeholder URLs with the official ones provided by Digibee. 4. Upload the **Metadata URL file in XML format** as oriented in the Metadata URL section. 5\. Ensure that all users who will log in to the application are created in Microsoft Entra ID. 6\. Review all settings to ensure accuracy. 7\. Save the changes. 8\. Click **Test this application** to verify that it works correctly. ### Optional step: Configure group integration To integrate Digibee Platform groups with Active Directory groups, configure the **Attributes & Claims** section. If you have done the To/From groups on the Platform, group integration is optional. 1. Click **Add a Group Claim**. This means that the Active Directory will send the groups to which the user belongs to Digibee in the authentication process, 2. If **All Groups** is selected, then all Group IDs for the user, including those from other applications, will be sent to Digibee. {% hint style="info" %} Note that if the user belongs to many groups, Active Directory may compress the list and send a link instead of the full list. This can prevent automatic group associations. {% endhint %} 3. For a more precise integration, use the **Groups Assigned to the Application** option to limit the Group IDs sent to Digibee. The users who will log in must be created in the application. ## Problem solving **Errors related to incorrect information entry**\ Active Directory usually returns the error on their pages for troubleshooting. In these cases, you can check whether the URLs provided by Digibee were entered correctly, remembering that the URLs must always be entered with HTTPS in Azure . Also, verify if the **Metadata XML** file was uploaded correctly, as explained above. **The authentication was successful but without automatic group association**\ It’s possible to check the **SAMLResponse** that was sent to Digibee. The **SAMLResponse** will always be encoded in **Base64** and can be decoded using public tools. The list of **Group IDs** sent to Digibee is usually within the following tag: