Share via

Unable to see SSO login option after configuring SAML in Enterprise Application

Oliver 20 Reputation points
2026-04-17T15:00:04.93+00:00

I configured SAML-based Single Sign-On for an Enterprise Application in Microsoft Entra ID. I completed the basic SAML configuration by adding Identifier (Entity ID), Reply URL, and Sign-on URL, and also downloaded the metadata XML and shared it with the application team.

Configuration status in Entra portal is showing as completed, but when users try to access the application, they are still getting the normal application login page instead of SSO redirect.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

VEMULA SRISAI 13,135 Reputation points Microsoft External Staff Moderator
2026-04-17T15:16:25.56+00:00

Hello Oliver,

Your SAML configuration in Microsoft Entra ID appears to be correct. This behavior is expected and usually depends on how the application initiates authentication.

Configuring SAML SSO in an Enterprise Application only sets up Microsoft Entra ID as the Identity Provider (IdP). If users access the application directly via its URL, the application must support and be configured for SP‑initiated SAML or redirect unauthenticated users to Entra ID. Otherwise, the application will continue to show its native login page.

What you should check next:

  • Test the application launch from https://myapps.microsoft.com. If SSO works from My Apps, it confirms Entra ID is working as expected.
  • Confirm with the application team that:
    • Entra ID metadata has been imported
    • SAML authentication is enabled in the application
    • Entra ID is set as the default authentication method
  • Ensure the affected users are assigned to the Enterprise Application.

https://learn.microsoft.com/en-in/entra/identity/enterprise-apps/what-is-single-sign-on

Was this answer helpful?

1 person found this answer helpful.
0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-04-17T15:00:33.61+00:00

    Check the following areas to ensure SAML SSO is actually invoked instead of the app’s local login page:

    1. Verify the SSO flow being used
    • If the app is configured for IdP‑initiated SSO, users must start from the My Apps / Entra access panel or the Enterprise application’s “Test” link, not directly from the app URL.
    • For SP‑initiated SSO, the application itself must be configured (by the app team) to redirect to Microsoft Entra ID using the Identifier (Entity ID) and Login URL from the Entra SAML configuration. If the app is not redirecting, it will continue to show its normal login page.
    1. Confirm Basic SAML configuration matches what the app expects
    • In Enterprise apps → [Your App] → Single sign-on → SAML → Basic SAML Configuration, confirm:
      • Identifier (Entity ID) exactly matches what the application is configured to use.
      • Reply URL (Assertion Consumer Service URL) is the ACS endpoint the app team provided.
      • Sign-on URL is the URL where the app initiates SSO (if using SP‑initiated flow).
    • If the app is from the gallery and you cannot save the Identifier/Reply URL, ensure the values match the preconfigured patterns for that app. If they do not match, work with the vendor to get values that fit the supported pattern; otherwise SSO may not be invoked correctly.
    1. Ensure the application side is configured with Entra as IdP
    • The app team must import the Federation Metadata XML or configure:
      • Login URL (SAML endpoint)
      • Microsoft Entra Identifier (issuer)
      • SAML signing certificate from Entra.
    • If the relying party STS or application is not using this metadata, it will not redirect users to Entra and will continue to show its own login form.
    1. Test the SSO flow end‑to‑end
    • Use a private browser session.
    • For SP‑initiated SSO (via a relying party STS):
      1. Browse to the application URL and initiate login.
      2. Confirm the app redirects to the relying party STS (if present), then to https://login.microsoftonline.com (Entra).
      3. After sign‑in, verify the browser is redirected back to the configured Reply URL and the app receives the SAML token.
    • If any of these redirects do not occur, the issue is on the application/STS side, not in Entra.
    1. Use the Entra “Test” option
    • In Enterprise apps → [Your App] → Single sign-on, use the Test button to validate that Entra can issue a SAML token and that the reply URL is reachable. If this works but direct access to the app does not, the app is not initiating SSO correctly.

    If, after these checks, users still see the normal login page, the application team must adjust the app’s authentication settings (or relying party STS configuration) so that it either enforces SAML SSO or provides a “Sign in with Microsoft Entra ID” option that triggers the SAML redirect.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.