Docsright arrowAmbassador Cloudright arrowMicrosoft Entra (formerly Azure AD) single sign-on setup

4 min • read

Microsoft Entra (formerly Azure AD) single sign-on setup

Ambassador Cloud supports single sign-on via SAML 2.0. In order to configure single sign-on you will need to contact a member of the Ambassador Support team.

Single sign-on with Entra prerequisites

  • Ambassador Cloud Enterprise Subscription.
  • Cloud Application Administrator access to the Entra admin center for your organization.
  • Your unique case sensitive company ID provided by Ambassador Support.

Step 1: Create an Entra application

  1. Go to the Entra Admin console for your company.

  2. Browse to Identity > Applications > Enterprise applications.

    sso entra 1

  3. Select New application.

    sso entra 2

  4. Select Create your own application.

    sso entra 3

  5. Enter Ambassador Cloud as the app name, select option Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

    sso entra 4

  6. On the application page, select Properties, and upload the Ambassador Logo. Set the Visible to users? option to Yes and hit Save.

    sso entra 5

  7. On the application's page, Single sign-on, and select SAML as the sign-on method.

    sso entra 6

  8. Edit the Basic SAML Configuration

    sso entra 7

  9. In the Identifier (Entity ID) field, click Add identifier and enter

    sso entra 8

  10. Enter your case sensitive company ID here and then copy this URL to use in the next step:<company-id>/endpoint/clients/<company-id>
  11. In the Reply URL (Assertion Consumer Service URL) field, click Add identifier and enter the above URL (after inputting your case-sensitive company ID).

    sso entra 9

  12. In the Relay State (Optional) field, enter and click Save.

    sso entra 10

  13. Edit the Attributes & Claims.

    sso entra 11

  14. CLick the Unique User Identifier (Name ID) claim.

    sso entra 12

  15. In Source attribute select user.mail and Save.

    sso entra 13

  16. Back on the Signe sign-on screen, copy the App Federation Metadata Url value and give it to support to complete the configuration.

    sso entra 14

When your Application is created you should be able to see it in the MyApps portal.

Step 2: Assign your application to people or groups

  1. Go to Identity > Applications > Enterprise applications and select the Ambassador Cloud application.

  2. Select Users and groups and click Add user/group

    sso entra 15

  3. Under the Users section, assign as many users/groups as required.

    sso entra 16

  4. Save your changes.

    sso entra 17

  5. Go to the application properties and make sure that the option Assignment required? is set to Yes.

    sso entra 18

Step 3: Test your application integration

Once your support contact has notified you that your SSO integration has been activated, you will want to test it to ensure that it is working properly. If these tests do not proceed as expected, then please schedule a live debug session with your Ambassador Support contact.

To test Identity Provider initiated Sign On, you should ensure that you are starting from a logged out browser with clean state by creating a new incognito session for each test.

  1. Go to MyApps portal.

  2. You should see the Ambassador Cloud application on your dashboard. If you do not then make sure your user is added to the Application as described in Step 2

  3. Click on the Ambassador Cloud application. You should end up at the Ambassador Cloud website and be logged in.