Auth
Setting up SAML SSO with Microsoft Entra
Microsoft Entra ID (formerly Azure Active Directory) supports SAML 2.0 as a federation protocol. This guide walks you through connecting 21RISK to Entra using SAML, which is an alternative to the OpenID Connect (OIDC) setup .
SAML is commonly used in organizations that already have SAML-based federation in place, or where company policy requires it. If you don't have a strong preference, we recommend using OIDC — it's simpler to set up and maintain.
Prerequisites: You need Group Owner access in 21RISK and administrator access to Microsoft Entra to complete this setup.
Create a SAML connection in 21RISK Create a SAML connection in 21RISK
In a browser tab/window, log in to 21RISK.com
From here, navigate to the /settings/advanced page. Click on the button "Create new SSO connection".
In the dialog that opens, you can choose between OpenID Connect and SAML 2.0. Click on SAML 2.0
This takes you to the SAML connection detail page. In the Service Provider Configuration section, you will find two values you need for the Entra setup:
- ACS URL (Assertion Consumer Service) — the URL where Entra will send the SAML response
- Entity ID (Audience) — the identifier 21RISK uses for the SAML trust
Copy both of these values. You will paste them into Entra in the next step.
Create an Enterprise Application in Entra Create an Enterprise Application in Entra
In a new browser tab, navigate to portal.azure.com and search for "Enterprise applications" in the top search bar.
Click "New application"
This should take you to a Microsoft Entra App Gallery. Pick the option "Create your own application" .
This should open a sidenav, wher you enter 21RISK as the name, select "Integrate any other application you don't find in the gallery (Non-gallery)" , and click Create .
Configure SAML in Entra Configure SAML in Entra
On your new Enterprise Application's overview page, click "Set up single sign on" (or navigate to Manage → Single sign-on in the left menu).
Step 1: Entity ID and Reply URL
This should take you to the Single sign-on page. Click "Edit" on the first card with the title "Basic SAML Configuration".
This should open a sidenav where you can enter the "Basic SAML Configuration" :
| Field | Value |
|---|---|
| Identifier (Entity ID) | The Entity ID you copied from 21RISK |
| Reply URL (Assertion Consumer Service URL) | The ACS URL you copied from 21RISK |
Leave the other fields at their defaults and click Save .
Step 2: Attributes & Claims
The default configuration typically includes the user's email as the Name ID. Verify that the Unique User Identifier (Name ID) is set to user.userprincipalname or user.mail — whichever matches the email addresses your users have in 21RISK.
Important: The email in the SAML assertion must match the email address the user has in 21RISK. If these don't match, the user will not be able to log in.
Step 3: SAML Certificates
In the "SAML Certificates" section, copy the Certificate (Base64) — you can click the download link and open the file in a text editor. You will need the certificate content (without the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines).
Also copy the following values from the "Set up 21RISK" section (section 4):
| Field in Entra | Field in 21RISK |
|---|---|
| Microsoft Entra Identifier | Microsoft Entra Identifier |
| Login URL | Login URL |
| Logout URL | Logout URL (optional) |
Configure the Identity Provider in 21RISK Configure the Identity Provider in 21RISK
Go back to the 21RISK tab with your SAML connection detail page. In the SAML Identity Provider Configuration section, fill in the following fields:
| Field | Value |
|---|---|
| Microsoft Entra Identifier | The Microsoft Entra Identifier from Entra |
| Login URL | The Login URL from Entra |
| IdP Certificate (X.509) | The Certificate (Base64) content you downloaded — paste only the certificate body, without the BEGIN/END lines |
| Logout URL (optional) | The Logout URL from Entra (you can leave this empty) |
Click Create (or Update if you are editing an existing configuration).
Mark the connection as primary Mark the connection as primary
Before users can log in via SAML, the connection must be set as primary and the relevant email domains must be registered.
On the same page, toggle Primary to on and click Save .
You can only have one primary SSO connection per organization. If you already have an OIDC connection set as primary, toggling this SAML connection to primary will replace it.
Before users can use the connection, you must register all relevant domains with 21RISK. Reach out to 21RISK support at support@21risk.com if your domain(s) are not listed.
Test the connection Test the connection
You are now ready to test the SAML connection. Log out of 21RISK by clicking your profile name in the lower left corner and choosing Log out .
Now try logging in again. If your email domain is registered and the connection is primary, you should be redirected to the Microsoft Entra login page. After authenticating there, you should be logged in to 21RISK automatically.
If you encounter issues, double-check the following:
- The ACS URL and Entity ID in Entra match the values shown in 21RISK
- The Name ID claim in Entra returns the user's email address
- The email address in the SAML assertion matches an existing user in 21RISK
- The certificate is pasted correctly without extra whitespace or the BEGIN/END lines
If problems persist, contact support@21risk.com .
Entra user assignment Entra user assignment
By default, Entra allows all users in your directory to use the Enterprise Application. If you want to restrict which users can access 21RISK via SAML, navigate to your Enterprise Application in Entra and go to Manage → Properties . Set Assignment required to Yes .
{% image id="2e1e5409-72d3-4138-894c-fd0dca97b20f alt="Set Assignment required in Entra Enterprise Application properties" /%}
You can then assign specific users or groups under Manage → Users and groups .
21RISK has a powerful authorization model built in, so in most cases we recommend leaving "Assignment required" set to No and managing access within 21RISK itself. See How access is controlled for details.