Unlock seamless workflows and faster delivery with our latest releases – get the details
Last updated December 12, 2023

Set up SSO authentication with SAML and Azure

By Benjamin Weinberger & Saskia Bobinska

Configure and enable SSO authentication in your Sanity instance using the SAML protocol and Microsoft Azure AD as an identity provider (IdP.)

During the setup and configuration process, it's a good idea to keep two windows side by side:

  • One with Sanity Manage.
  • The other with the configuration settings of the IdP; in this case, Azure.

Getting ready

Go to the service configuration (Sanity)

Go to Sanity Manage and select the organization you want to enable SSO for.

To navigate to the service provider configuration inside Sanity Manage:

  1. In the organization you intend to add SSO to, go to Settings → SAML SSO.
  2. If no SAML SSO provider exists, click Open SAML SSO configuration and proceed to create and configure a SAML SSO provider.

Go to the service configuration (Azure)

To navigate to the identity provider configuration in Azure:

  1. Log into Azure.
  2. Go to Azure Active Directory.
  3. On the sidebar, go to Enterprise applications.
In Azure, go to Services, and then select Azure Active Directory.
On the sidebar, select Enterprise applications.

In Enterprise applications:

  1. Select an existing SAML application or create a new enterprise application.
    If you create a new application, you can also integrate any other applications not available in the gallery.
  2. Go to Set up single sign on, and then choose the SAML sign-on method to use.
Set up single sign-on.
Choose the SAML single sign-on method to use.

If you're keeping two browser tabs or windows open side by side, now you should have one on the configuration screen inside Sanity Manage, and the other on the configuration screen in Azure.

Configuring the Azure IdP

Basic SAML Configuration

  1. In Azure, edit the Basic SAML Configuration form.
  2. Add an Identifier (Entity ID) to the basic SAML configuration.
    Inside Sanity Manage, this ID corresponds to the Sanity entity ID.
  3. Add a Reply URL (Assertion Consumer Service URL).
    Inside Sanity Manage, this URL corresponds to the Sanity callback URL.
  4. Click Save.
Edit the Basic SAML Configuration form.
The Entity ID in Azure corresponds to the Sanity entity ID inside Sanity Manage.
The Reply URL (Assertion Consumer Service URL) in Azure corresponds to the Sanity callback URL inside Sanity Manage.

Attributes & Claims

Required Claim

  1. In Azure, edit the Attributes & Claims form.
  2. Edit the Unique User Identifier (Name ID) claim, and change the Name identifier format to Persistent.
  3. Click Save.
Edit the Attributes & Claims form.
Edit the Unique User Identifier (Name ID) claim.
Change the Name identifier format to Persistent.

Additional Claims

Now, configure Azure to send the claims that Sanity requires in the expected form.
The claims (attributes) that Sanity expects are listed inside Sanity Manage:

Inside Sanity Manage you can view the claims (attributes) that Sanity requires from Azure.

For each claim:

  1. Ensure the claim Name matches the attribute name in the table above.
  2. Ensure the Namespace is deleted.
  3. Ensure the Name format is set to Unspecified.
  4. Ensure the Source attribute is mapped correctly. This varies, and it depends on the specific Azure Active Directory configuration.
In the form, set the appropriate values for each claim.

Once all claims have been added:

The mapping of Azure claims and the corresponding Sanity attributes.

Sanity requires user.firstName and user.surname. The mapping in the example replaces both fields with user.displayname.

Group Claims

Enterprise customers can map user identity provider roles to service provider roles. For example, users with an Azure example-azure-user-role role are mapped to the Sanity viewer role when they log in.

  • To support the mapping functionality, you must configure the identity provider to send the groups of the user.
  • To do so, Sanity Manage expects a groups claim with the format set to unspecified.
Inside Sanity Manage, set Name to groups and Format to unspecified.

In Azure, add a new group claim:

In Azure, select + Add a group claim.

Select the groups that you want Azure to send to Sanity, and assign the group claim a descriptive name:

In Azure, select the groups used to populate SAML tokens issued to Sanity.

Once you're done, save the changes.

Configuring the Sanity Service Provider

Sign-On URL and Issuer

In Azure, browse to the Set up {application name} block:

In Azure, go to the application setup to get the Azure URLs for login and authentication.

Get the Azure URLs for login and authentication, and add them to the Your Identity Provider details configuration section inside Sanity Manage:

In Your Identity Provider details, set the Azure URLs for login, auth, and logout.

In this scenario:

  1. Azure Login URL maps to Sanity Identity Provider Single Sign-On URL.
  2. Azure Azure AD Identifier maps to Sanity Identity Provider issuer.

InResponseTo

In the SAML specification, InResponseTo is defined as

The ID of a SAML protocol message in response to which an attesting entity can present the assertion.

This setting is identity provider-specific. Azure doesn’t support it. Therefore, ensure that Enable InResponseTo is deselected/disabled.

Enable InresponseTo must be disabled/deselected.

Signed SAML Assertion

The Signed SAML Assertion option notifies the Sanity instance that the identity provider is configured to use the signing certificate found in the Sanity service provider details section.

Example certificate in the Signing certificate section.

This is an optional step configured in Verification certificates:

Verification certificate is an optional step to configure signing certificates with a signed assertion.

Unless you have already uploaded the certificate, leave the Want assertion signed deselected under Signed SAML Assertion.

If no certificate has been uploaded, leave Want assertion signed deselected under Signed SAML Assertion.

X.509 Certificate

To get an X.509 certificate:

  1. Go to SAML Certificates and click Edit.
  2. Download the certificate as PEM certificate download.
  3. Open the downloaded certificate file with any text editor, and copy-paste the certificate content into Sanity Manage.
Click Edit in SAML Certificates.
Select PEM certificate download.
Paste the certificate body into Sanity Manage.

Save

Ensure you save all changes inside Sanity Manage and in Azure.

Further reading

Sanity – build remarkable experiences at scale

Sanity Composable Content Cloud is the headless CMS that gives you (and your team) a content backend to drive websites and applications with modern tooling. It offers a real-time editing environment for content creators that’s easy to configure but designed to be customized with JavaScript and React when needed. With the hosted document store, you query content freely and easily integrate with any framework or data source to distribute and enrich content.

Sanity scales from weekend projects to enterprise needs and is used by companies like Puma, AT&T, Burger King, Tata, and Figma.

Other guides by authors

Beginners guide to Portable Text

Discover the power of Portable Text with this essential guide. From data structure, serialisation to validation strategies, you'll learn everything you need to harness its potential.

Saskia Bobinska
Go to Beginners guide to Portable Text