Ataccama ONE Agentic ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
User Community Service Desk Downloads

Set Up Entra ID SSO

This article describes how to integrate Microsoft Entra ID (formerly Azure Active Directory) with Ataccama ONE Agentic Data Trust Platform using SAML 2.0 federation.

How sign-in works

When Entra ID SSO is configured, Ataccama acts as the SAML Service Provider (SP), and Entra ID acts as the Identity Provider (IdP). On sign-in, you are redirected to Entra ID for authentication (using your corporate credentials), and Entra ID returns a signed SAML assertion to Ataccama.

On first sign-in, Ataccama creates your user account automatically from the assertion attributes (username, email, first name, last name); on subsequent sign-ins, your profile attributes are refreshed from Entra ID.

Configure a separate identity provider for each Ataccama environment (for example, DEV, TEST, PROD).

Each environment has its own realm and redirect URI, so the configuration cannot be shared across environments.

Prerequisites

  • Access to the Entra admin center with permissions to manage enterprise applications.

  • Environment admin access to the Ataccama Cloud Portal.

  • You have created the necessary Entra ID security groups associated with your enterprise application, with the appropriate users assigned.

Setup overview

Complete the following steps in order. Some values are generated in one step and reused in another, so keep both the Entra admin center and the Cloud Portal open throughout.

  1. Get the redirect URI from Cloud Portal to use as the Entra ID Identifier and Reply URL.

  2. Configure Entra ID: Create the enterprise application, set up SAML SSO, define the attribute and group claims, and assign users.

  3. Complete the Cloud Portal configuration: Enter the SAML metadata, map user attributes, and, optionally, import groups.

Get the redirect URI from Cloud Portal

  1. In the Ataccama Cloud Portal, go to <your environment> > Settings.

  2. Under Identity Provider (SSO), select Add.

  3. In the Add Identity Provider dialog, switch to the SAML tab.

  4. Note the Redirect URI shown. The URI is auto-generated for your environment realm and is read-only.

    Example: https://<your-domain>.ataccama.one/auth/realms/<tenant-name>/broker/saml/endpoint.

    Redirect URI in the Add Identity Provider dialog

Keep this dialog open. You return to it in Complete the Cloud Portal configuration.

Configure Entra ID

Follow the Microsoft documentation to complete these steps:

  1. Create an enterprise application. When prompted to choose an application, select Create your own application > Integrate any other application you don’t find in the gallery (Non-gallery).

  2. Enable SAML single sign-on on your application. When configuring Basic SAML Configuration, set the following:

    • Identifier (Entity ID): The redirect URI from Cloud Portal.

    • Reply URL (ACS URL): The redirect URI from Cloud Portal.

    • Sign-on URL: Leave blank.

    • Relay State: Leave blank.

  3. Configure attribute claims in the SAML token. The following claims must be present; add any that are missing.

  4. Configure group claims if you want to use group-based role mapping in ONE. After you choose which groups to include (for example, Groups assigned to the application), leave the default claim name. Entra ID emits the claim as schemas.microsoft.com/ws/2008/06/identity/claims/groups.

  5. Assign users and groups to your enterprise application that should have access to ONE.

After you configure Entra ID, copy the App Federation Metadata URL (recommended for autocompleting SAML settings) and complete the Cloud Portal configuration. Alternatively, you can use the Microsoft Entra Identifier and Login URL values, which have to be entered manually.

Complete the Cloud Portal configuration

Return to the Add Identity Provider dialog in the Cloud Portal and fill in the following.

General information

  • Alias: A short unique identifier. Leave the default (saml) or enter your own (for example, entra-saml).

  • Display Name: The label shown on the login screen (for example, Entra).

  • Display Order: Optional. Sets the order of this provider when multiple identity providers are configured.

SAML settings

  • Use discovery endpoint: Select this and paste the App Federation Metadata URL to automatically fill in the following fields.

  • Identity Provider Entity ID: The Microsoft Entra Identifier (for example, https://sts.windows.net/<tenant-id>/).

  • Single Sign-On Service URL: The Login URL from Entra ID.

  • Single Logout Service URL: Optional.

  • Name ID Policy Format: Email.

  • Want Assertions Signed: Enabled (recommended).

  • Validate Signature: Enabled (recommended).

You can leave all other SAML settings as default.

User attribute settings

Select Pre-fill for Microsoft Entra to populate all four attribute fields with the default Entra ID claim URIs (and the Mapping attribute name in Group import (optional)). The pre-filled values are:

  • Username Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

  • Email Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • First Name Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

  • Last Name Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

These values must exactly match the claim names sent in the SAML assertion. If you changed the claim names in Entra ID, edit the attribute values after pre-filling.

User attribute settings

Group import (optional)

To import Entra ID groups for role assignment in ONE:

  1. Select Enable group mapping.

  2. In Mapping attribute name, enter http://schemas.microsoft.com/ws/2008/06/identity/claims/groups (pre-filled if you used Pre-fill for Microsoft Entra).

  3. Add one row per group:

    • Group name: The Entra ID security group name, as configured in the Entra admin center.

    • Description: An optional label visible only in ONE.

You can add or update groups at any point after the initial configuration.

Group import

Save and redeploy

Select Save and redeploy to apply the configuration to your environment.

Once the environment is redeployed, the configured identity provider appears on the ONE login page.

Troubleshooting

Login fails after configuration

  1. Verify that the Reply URL (ACS URL) in Entra ID exactly matches the Redirect URI from the Cloud Portal.

  2. Verify that the Entity ID and SSO URL in the Cloud Portal match the values from Entra ID.

User profile attributes are missing or incorrect

  1. Confirm that all four attribute claims are configured in Entra ID.

  2. Inspect the SAML assertion that Entra ID is sending (see Debug the SAML assertion).

Group memberships are not reflected

  1. Verify that the group claim is enabled in Entra ID and that the user’s groups are assigned to the enterprise application.

  2. Confirm that the group names in the Cloud Portal Group import exactly match the group names in your directory.

Debug the SAML assertion

To inspect what Entra ID is actually sending:

  1. Open an incognito browser window and go to Developer Tools > Network tab with Preserve log enabled.

  2. Attempt to sign in using the SSO option.

  3. Find the POST request that contains SAMLResponse.

  4. Copy the value and decode it with a SAML decoder, for example, SAMLTool.

  5. Verify that all expected attributes (name, emailaddress, givenname, surname, groups) are present in <AttributeStatement>.

Was this page useful?