MS Azure AD SAML
The following manual configuration creates a SAML SSO configuration for your Enterprise organization.
Prerequisites
Ownerrole in an Enterprise organizationAdministrative access to your organization's Microsoft Azure AD portal
Supported features
This configuration supports the following:
Service provider initiated SSO
Single Log Out [optional]
Configuration steps
Before configuring SSO, you need to assign a namespace and download your service provider certificate in Make. These steps provide information you need to enter later.
Create your namespace in Make:
Go to Organization > SSO.
Under Namespace, enter the namespace you want for your organization, for example,
acme_corp. Your organization members enter this namespace when they log in via SSO.Under SSO type, select SAML 2.0.
Steps on Microsoft
Create a SAML application on Microsoft Entra ID
Log in to Microsoft Azure and go to Manage Microsoft Entra ID.
Click Enterprise applications.
Click + New Application.
Click + Create your own application.
Enter a name for your app and select Integrate any other application you don't find in the gallery.
Click Create.
Find 2. Set up single sign on and click Get started.
Click SAML.
Configure Basic SAML settings
For Basic SAML settings. click Edit and enter the following values:
Identifier (Entity ID)
Add
/metadata.xmlto the URL in the Redirect URL field of the SSO configuration in your Make organization.Example:
https://www.make.com/sso/saml/examplenamespace/metadata.mxlReply URL
You can find this URL in the Redirect URL field of the SSO configuration in your Make organization.
Note
Replace {namespace} with your actual namespace.
Example:
Your namespace is acmecorp
https://www.make.com/sso/saml/acmecorpSign on URL
Leave this field blank.
Relay State (Optional)
Leave this field blank.
Logout Url (Optional)
Leave this field blank.
Rename attributes
You need to rename items in the Attributes & Claims section for your Login IML resolve.
In the Attributes & Claims sections, click Edit.
Under Additional claims, find the value you want to edit and click that row.
Enter the new name in the Name field. Use the following chart to find the names required for your IML resolve.
email
user.mail
name
user.displayname
id
user.userprincipalname
Unique User Identifier
user.userprincipalname
Repeat steps 2 and 3 for each attribute you need to change.
Click Save.
Download the certificate
You need to download the base 64 SAML certificate from Microsoft Azure and upload it to the Identity Provider Certificate field of the SSO tab in your Make organization.
Find the SAML Certificates section of your single sign-on settings in the Microsoft Azure portal.
Next to Certificate (Base64), click Download.
Your browser automatically downloads the .cer file. Find this file and have it ready to upload later.
Steps on Make
Go to Organization > SSO.
Under Identity Provider Certificate, click Extract. A pop-up appears.
Under P12, PFX or PEM file, click Choose file and select the
.cerfile you downloaded.Enter the following information from Okta into the IdP login URL and Identity provider certificate fields.
Field on MS Azure AD
Field on Admin > System settings
Under 4 Set up:
Login URL
IdP login URL
Under 3 SAML certificates
Certificate (Base64)
Identity provider certificate
Enter the following in the Login IML resolve field:
{"email":"{{get(user.attributes.email, 1)}}","name":"{{get(user.attributes.profileFirstName, 1)}} {{get(user.attributes.profileLastName, 1)}}","id":"{{user.name_id}}"}Select the following settings:
Allow unencrypted assertions
Yes
Allow unsigned responses
No
Sign requests
Yes
Click Save.
Service Provider initiated SSO
Go to Make's login page.
Click Sign in with SSO.
Enter the namespace you chose for your organization.
Log in using your Okta credentials and consent to Make's access to your user data.
Troubleshooting
When you save the SSO configuration, you automatically receive an email with a link to bypass SSO login. Use this link to log in and adjust your configuration as needed.