# Integrating OpenIAM as your SP In this flow, users open OpenIAM first. OpenIAM redirects them to Entra ID for authentication. After sign-in, Entra ID returns them to OpenIAM. {% hint style="warning" %} **Before you start:** complete [Configuring SSO](broken://pages/f695922ccec624e8dfe3f2933d26a033e3302d51) to ensure OpenIAM is set up to accept federation. {% endhint %} {% stepper %} {% step %} ## Configure Entra ID 1. In Microsoft Entra ID, open **Enterprise applications**.

2. Select **New application**.

3. Select **Create your own application**. Enter a name for the application, then select the option for integrating any other application you don't find in the gallery.

4. After the application is created, open **Single sign-on** and select **SAML**.

5. Set the basic SAML values. Replace the example values with your own.

Field	Value
Identifier (Entity ID)	A unique value for the application. This becomes the SAML Issuer Name in OpenIAM.
Reply URL (Assertion Consumer Service URL)	`https://{OpenIAMAddress}/idp/saml2/sp/login`
Sign on URL	`https://{OpenIAMAddress}/idp/saml2/sp/login?issuer={identifierOfApplication}`
Logout URL	`https://{OpenIAMAddress}/idp/saml2/sp/logout`

You can leave the remaining values at their defaults unless your environment requires changes. 6. After setup, download the signing certificate as a `.pem` file. You will need it in the next step. {% endstep %} {% step %} ## Configure OpenIAM 1. In Webconsole, go to **Access Control → Authentication Providers** and create a new authentication provider for Entra ID SSO.

2. Create a role or group in OpenIAM. In its entitlements, link the resource from the authentication provider. Then assign that role or group to a test user.

{% endstep %} {% step %} ## Upload the Entra ID Certificate 1. In Webconsole, go to **Access Control → Authentication Providers** and open the Entra ID SSO configuration.

2. In the **Signature** section, upload the `.pem` file downloaded from Entra ID. {% endstep %} {% step %} ## Validate the Configuration 1. In Entra ID, open your enterprise application. 2. Go to **Single sign-on → SAML**. 3. In section 5, select **Test**.

{% endstep %} {% endstepper %} ## Additional notes **User assignment:** By default, Entra ID users must be assigned to the application before they can sign in with SAML. * To assign users or groups: go to **Enterprise applications → your application → Users and groups**. * To allow anyone in the organization to sign in without individual assignment: go to **Properties** and set **Assignment required?** to **No**. {% hint style="info" %} **Auto-redirect to Entra ID:** To redirect users from the OpenIAM login page directly to Entra ID without showing the OpenIAM login form, add a redirect URL for the `idp/login` pattern in the target content provider: `https://{OpenIAMAddress}/idp/saml2/sp/login?issuer={your_issuer}` {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs-beta.openiam.com/federation/integrating-openiam-as-your-sp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.