Set up a SAML 2.0 provider

SAML 2.0 identity providers are services that conform to the SAML 2.0 specification. SAML can be used for single sign-on (SSO) authentication to allow employees to easily access cloud applications without having to maintain multiple credentials.

To allow users to authenticate to your Power Pages site, you can add one or more SAML 2.0–compliant identity providers. This article describes the following steps:

Note

Changes to your site's authentication settings might take a few minutes to be reflected on the site. To see the changes immediately, restart the site in the admin center.

Set up the SAML 2.0 provider in Power Pages

  1. In your Power Pages site, select Security > Identity providers.

    If no identity providers appear, make sure External login is set to On in your site's general authentication settings.

  2. Select + New provider.

  3. Under Select login provider, select Other.

  4. Under Protocol, select SAML 2.0.

  5. Enter a name for the provider; for example, Microsoft Entra ID.

    The provider name is the text on the button that users see when they select their identity provider on the sign-in page.

  6. Select Next.

  7. Under Reply URL, select Copy.

    Don't close your Power Pages browser tab. You'll return to it soon.

Create an app registration in the identity provider

  1. Create and register an application with your identity provider using the reply URL you copied.

  2. Find the application's endpoints and copy the Federation metadata document URL.

  3. In a new browser tab, paste the federation metadata document URL you copied.

  4. Copy the value of the entityID tag in the document.

Enter site settings in Power Pages

Return to the Power Pages Configure identity provider page you left earlier and enter the following values. Optionally, change the additional settings as needed. Select Confirm when you're finished.

  • Metadata address: Paste the federation metadata document URL you copied. The metadata address should be publicly accessible while using a publicly trusted SSL certificate.

  • Authentication type: Paste the entityID value you copied.

  • Service provider realm: Enter your site's URL.

  • Assertion service consumer URL: If your site uses a custom domain name, enter the custom URL; otherwise, leave the default value, which should be your site's reply URL. Be sure the value is exactly the same as the redirect URI of the application you created.

Additional settings in Power Pages

The additional settings give you finer control over how users authenticate with your SAML 2.0 identity provider. You don't need to set any of these values. They're entirely optional.

  • Validate audience: Turn on this setting to validate the audience during token validation.

  • Valid audiences: Enter a comma-separated list of audience URLs.

  • Contact mapping with email: This setting determines whether contacts are mapped to a corresponding email address when they sign in.

    • On: Associates a unique contact record with a matching email address and automatically assigns the external identity provider to the contact after the user successfully signs in.
    • Off

See also

Set up a SAML 2.0 provider with Microsoft Entra ID
Set up a SAML 2.0 provider with AD FS
SAML 2.0 FAQ