Configure SAML with Microsoft Entra ID

Last modified: Thursday October 23, 2025.

Configure Microsoft Entra ID as your SAML IdP for Alta Video.

For detailed information on configuring Microsoft Entra ID as your SAML IdP, see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso

Before you start

The configuration steps shown here are part of the process of configuring SAML SSO for Alta Video. To complete them, you will need:

  • Your Alta Video Entity ID
  • Your Alta Video ACS URL

To obtain them, see Configure Alta Video to enable SAML single sign-on.

Create an Alta Video cloud enterprise application

  1. Sign in to the Microsoft Entra admin center.
  2. Open Enterprise apps.
  3. Click + New application.
  4. Click + Create your own application.
  5. In the Name field, type a name for your Alta Video application.
  6. Click Create.

Create groups for your users

You can repeat these steps and create multiple Entra ID groups that correspond to your Alta Video user groups, such as administrators and operators.

  1. Open Groups.
  2. Click New group.
  3. Set Group type to Security.
  4. Enter a Group name, for example, Alta_Admins.
  5. Optional: Enter a description for the group.
  6. Set Membership type to Assigned.
  7. Click No owners selected. Select your user name and click Select.
  8. Click No members selected. Choose the required users.
  9. Click Create.

Add users to an existing group

You can add new users to existing groups after configuring you application.

  1. Open Groups > All groups.
  2. Select the required group.
  3. From Manage click Members.
  4. Click + Add members.
  5. Locate and select the required users and click Select.

Define app roles

You can repeat these steps and create multiple app roles that correspond to your Alta Video user roles, such as administrators and operators.

  1. Open App registrations.
  2. Select All applications.
  3. Locate and select your application.
  4. From Manage click App roles.
  5. Click + Create app role.
  6. Enter a display name, for example, Alta_Admins.
  7. For Allowed member types, select Users/Groups.
  8. In the Value field, enter the name of the relevant Alta Video user group, for example, Administrators.

    The text in the Value field must exactly match the name of the Alta Video role.

  9. Enter a description of the role.
  10. Select Do you want to enable this app role?.
  11. Click Apply.

Assign users, groups, and roles to your enterprise application

Repeat the following steps to add your users and groups to your application and assign them the required roles.

  1. Open Enterprise apps and select your Alta Video application.
  2. From Manage click Users and groups.
  3. Click + Add user/group.
  4. In Users and groups, click None selected.
  5. Select the required groups or individuals.
  6. Click Select.
  7. In Select a role, click None selected.
  8. Select the required role for these groups or users.
  9. Click Select.
  10. Click Assign.

Basic SAML Configuration

  1. Open Enterprise apps and select your Alta Video application.
  2. From Manage click Single sign-on.
  3. Click SAML.
  4. In the Basic SAML Configuration panel, click Azure Edit icon Edit.
    Azure Basic SAML configuration
  5. For Identifier (Entity ID), enter the Entity ID obtained from Alta Video.
  6. For Reply URL (Assertion Consumer Service URL), enter the ACS URL obtained from Alta Video.
  7. Click Save.

Configure Attributes & Claims

  1. Open Enterprise apps and select your Alta Video application.
  2. From Manage click Single sign-on.
  3. Click SAML.
  4. In the Attributes & Claims panel, click Azure Edit icon Edit.
    Azure AD User Attributes & Claims
  5. Define the user information (attributes) that Entra ID will send in the SAML assertion to the service provider:
    1. To configure the email attribute:
      1. Click Add new claim.
      2. For Name, enter AvaAwareEmail.
      3. For Source attribute, select user.mail

        Ensure that your Alta Video user profiles all include the Email address in the Contact info section.

      4. Click Save.
    2. To configure the username attribute:
      1. Click Add new claim.
      2. For Name, enter AvaAwareUsername.
      3. For Source attribute, select user.userprincipalname.
      4. Click Save.
    3. To configure the role attribute:
      1. Click Add new claim again.
      2. For Name, enter AvaAwareUserGroup.
      3. For Source attribute, select user.assignedroles.
      4. Click Save.
  6. In the Additional claims section, delete all other default claims, leaving only AvaAwareEmail, AvaAwareUserGroup, and AvaAwareUsername.
    Azure AD Required and Additional claims
  7. Click Save.

Configure and obtain the SAML Signing Certificate

  1. Open Enterprise apps and select your Alta Video application.
  2. From Manage click Single sign-on.
  3. Click SAML.
  4. In the SAML Signing Certificate panel, click Azure Edit icon Edit.
    Azure AD Signing certificate
  5. For the Signing Option, select Sign SAML response and assertion.
  6. Click Save.
  7. In the SAML Signing Certificate panel, locate Federation Metadata XML and click Download. You need to upload this information to your Alta Video cloud deployment.

Return to Configure Alta Video to enable SAML single sign-on to complete SSO configuration for your deployment.