The other with the configuration settings of the IdP; in this case, Azure.
Getting ready
Go to the service configuration (Sanity)
Go to Sanity Manage and select the organization you want to enable SSO for.
To navigate to the service provider configuration inside Sanity Manage:
In the organization you intend to add SSO to, go to Settings → SAML SSO.
If no SAML SSO provider exists, click Open SAML SSO configuration and proceed to create and configure a SAML SSO provider.
Go to the service configuration (Azure)
To navigate to the identity provider configuration in Azure:
Log into Azure.
Go to Azure Active Directory.
On the sidebar, go to Enterprise applications.
In Enterprise applications:
Select an existing SAML application or create a new enterprise application. If you create a new application, you can also integrate any other applications not available in the gallery.
Go to Set up single sign on, and then choose the SAML sign-on method to use.
If you're keeping two browser tabs or windows open side by side, now you should have one on the configuration screen inside Sanity Manage, and the other on the configuration screen in Azure.
Configuring the Azure IdP
Basic SAML Configuration
In Azure, edit the Basic SAML Configuration form.
Add an Identifier (Entity ID) to the basic SAML configuration. Inside Sanity Manage, this ID corresponds to the Sanity entity ID.
Add a Reply URL (Assertion Consumer Service URL). Inside Sanity Manage, this URL corresponds to the Sanity callback URL.
Click Save.
Attributes & Claims
Required Claim
In Azure, edit the Attributes & Claims form.
Edit the Unique User Identifier (Name ID) claim, and change the Name identifier format to Persistent.
Click Save.
Additional Claims
Now, configure Azure to send the claims that Sanity requires in the expected form. The claims (attributes) that Sanity expects are listed inside Sanity Manage:
For each claim:
Ensure the claim Name matches the attribute name in the table above.
Ensure the Namespace is deleted.
Ensure the Name format is set to Unspecified.
Ensure the Source attribute is mapped correctly. This varies, and it depends on the specific Azure Active Directory configuration.
Once all claims have been added:
Sanity requires user.firstName and user.surname. The mapping in the example replaces both fields with user.displayname.
Group Claims
Enterprise customers can map user identity provider roles to service provider roles. For example, users with an Azure example-azure-user-role role are mapped to the Sanity viewer role when they log in.
To support the mapping functionality, you must configure the identity provider to send the groups of the user.
To do so, Sanity Manage expects a groups claim with the format set to unspecified.
In Azure, add a new group claim:
Select the groups that you want Azure to send to Sanity, and assign the group claim a descriptive name:
Once you're done, save the changes.
Configuring the Sanity Service Provider
Sign-On URL and Issuer
In Azure, browse to the Set up {application name} block:
Get the Azure URLs for login and authentication, and add them to the Your Identity Provider details configuration section inside Sanity Manage:
In this scenario:
Azure Login URL maps to Sanity Identity Provider Single Sign-On URL.
Azure Azure AD Identifier maps to Sanity Identity Provider issuer.
InResponseTo
In the SAML specification, InResponseTo is defined as
The ID of a SAML protocol message in response to which an attesting entity can present the assertion.
This setting is identity provider-specific. Azure doesn’t support it. Therefore, ensure that Enable InResponseTo is deselected/disabled.
Signed SAML Assertion
The Signed SAML Assertion option notifies the Sanity instance that the identity provider is configured to use the signing certificate found in the Sanity service provider details section.
This is an optional step configured in Verification certificates:
Unless you have already uploaded the certificate, leave the Want assertion signed deselected under Signed SAML Assertion.
Sanity Composable Content Cloud is the headless CMS that gives you (and your team) a content backend to drive websites and applications with modern tooling. It offers a real-time editing environment for content creators that’s easy to configure but designed to be customized with JavaScript and React when needed. With the hosted document store, you query content freely and easily integrate with any framework or data source to distribute and enrich content.
Sanity scales from weekend projects to enterprise needs and is used by companies like Puma, AT&T, Burger King, Tata, and Figma.
Discover the power of Portable Text with this essential guide. From data structure, serialisation to validation strategies, you'll learn everything you need to harness its potential.