Microsoft Entra ID enterprise connection (SAML)

Kinde supports the use of Microsoft Entra ID (SAML) as an enterprise-level authentication method. This service used to be Azure AD.

If you are importing users into Kinde, their Entra ID will be picked up and matched to the relevant connection based on their email address, for a seamless transition to Kinde.

Microsoft Entra ID is the new name for Microsoft Azure AD, which is Microsoft’s enterprise authentication service. This doc may contain some mixed references. More information.

Before you begin

Link to this section

• You need a Microsoft developer account to register an application.
• Test the connection in a non-production environment before activating in a live environment.

Advanced configurations

Link to this section

Depending on your SAML set up, you may need to include advanced configurations for your connection. See Advanced SAML configurations.

Step 1: Add the connection in Kinde

Link to this section

You can make a connection available only to a specific organization, or you can create it so it can be used across any organization in your business.

Add a connection for a specific organization

Link to this section

1. Go to Organizations and open the organization.
2. In the menu, select Authentication, then select Add connection.
3. In the Add connection window, select New enterprise connection, then click Next.
4. Select the Microsoft connection type you want and then select Next. Currently we support WS Federated and OpenID types.
5. Next: ‘Step 2: Configure the connection’.

Add a connection that can be shared across multiple organizations

Link to this section

1. Go to Settings > Environment > Authentication.
2. Scroll to the Enterprise connection section and select Add connection. The Add connection window opens.
3. Select the Microsoft connection type you want and then select Next. Currently we support WS Federated, SAML, and OpenID types.
4. Next: ‘Step 2: Configure the connection’.

Step 2: Configure the connection in Kinde

Link to this section

1. Enter a Connection name. Make this something you can easily identify, especially if you are adding multiple connections for different business customers.

   If you plan to import users into Kinde, make sure the connection name matches the connection name in the Entra ID record.

2. For the Entity ID, enter a random string like hEb876ZZlkg99Dwat64Mnbvyh129. Make a copy of the string as you will add this to your SAML application later. Note that some older Entra ID tenants require the Entity ID to have a prefix of spn: If your connection fails, this could be why.

3. Enter the IdP metadata URL. This URL comes from your identity provider. If you don’t know it, enter any URL and update this later.

4. Enter a sign in URL if your IdP requires a specific URL.

   

5. If you want, select the Sign request algorithm and Protocol binding. The options you choose will depend on what your identity provider prefers or requires.

6. Select a Name ID format. This helps identify and link user identities between your IdP and Kinde.

7. Enter an Email key attribute. This is the attribute in the SAML token that contains the user’s email. Setting this value ensures that the email address returned in the SAML response is correctly retrieved. We do not recommend leaving this field blank, but if you do we will set ‘email’ as the attribute.

8. (Optional) Add a first name and last name attribute.

9. Enter Home realm domains. This speeds up the sign in process for users of those domains. Note that all home realm domains must be unique across all connections in an environment. For more information, see Home realm domains or IdP discovery.

   

10. If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the Always show sign-in button option.

11. Copy the relevant reply URL:

    1. If you don’t use a custom domain, copy the ACS URL.
    2. If you do use a custom domain, select the Use custom domain instead option and copy the custom domain URL. Later, add this URL to your identity provider configuration.

    

12. If you want to enable just-in-time (JIT) provisioning, select the Create a user record in Kinde option. This saves time adding users manually or via API later.

13. Select Trust email addresses provided by this connection if you want to treat this connection as a trusted provider.

    This option should be disabled unless you understand the impact of having this enabled as some providers do not verify email addresses. We recommend leaving this off for maximum security.

14. If you want users to be logged out of all applications that use this connection when they logout of your app, switch on the Single logout option in the Logout experience section.

    1. Enter the Single logout endpoint URL - this needs to be supplied by the customer.
    2. Copy and provide the Logout URL to the customer to add to their IdP configuration.

15. Enter any upstream params that you want to pass to the identity provider. Not all providers support this, so check their documentation first.

16. Select Save.

Step 3: Create and configure an Entra ID enterprise application

Link to this section

1. On the Microsoft Entra admin center home screen, select Applications > Enterprise Applications.

2. Select New application and in the next screen select Create your own application. A side panel opens.

3. Enter the name for the application.

4. Select the Integrate any other application you don’t find in the gallery (Non-gallery) option and then select Create. It can take a few seconds for the application to be created.

5. Select Get started on the 2. Set up single sign on tile, then select the SAML tile.

6. Edit the Basic SAML Configuration. The side panel opens.

   

7. Select Add identifier, then enter the same random string like you did previously for the Entity ID in Kinde. E.g. hEb876ZZlkg99Dwat64Mnbvyh129.

8. Select Add reply URL and paste the ACS URL that you copied from the connection configuration screen in Kinde.

9. If you plan to use single logout for this connection, add the ACS URL to the Logout URL (Optional) field.

10. Select Save.

11. In section 4 (the Set up [app] section), copy the Logout URL. This needs to be added back into the connection configuration in Kinde.

12. Close the panel.

13. Select Edit on the Attributes & Claims section. Copy the values of the identifiers (Principal name, Given name, Surname), for example:

14. In the SAML certificates section, copy the App federation metadata URL. You’ll add this as the IdP metadata URL in the Kinde connection.
15. Download the Federation metadata XML file. This is the SAML signed certificate.

Step 4: Finish configuring the connection in Kinde

Link to this section

1. Open the SAML connection in Kinde. Via Organization > Authentication or via Settings > Authentication.
2. Paste in the data you got from the SAML app:
   • IdP metadata URL
3. Update the attributes
   • Email key attribute (Email), such as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
   • First name attribute (Given name), such as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
   • Last name attribute (Surname), such as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
4. (Optional) if you want to sign the SAML httpRequest:
   1. Open the Federation Metadata XML file in a text editor.
   2. Copy the certificate and private contents of the file to the Sign SAML request section.
5. Paste them into the Signing certificate field in the Kinde connection.
6. If you are using the single logout function, paste the Logout URL from your Entra ID SAML app in the Logout experience section.
7. Switch on the connection. This will make it instantly available to users if this is your production environment.
   1. For environment-level connections, scroll down and select the apps that will use the auth method.
   2. For organization-level connections, scroll down and select if you want to switch this on for the org.
8. Select Save.

Step 5: Test the connection

Link to this section

Make sure you test the connection before enabling in production for your users.

1. Go to your test application and attempt to sign in.
2. If you left the Home realm domains field blank in Kinde, when you launch your application, you should see a button to sign in. Click it and go to step 4.
3. If you completed the Home realm domains field, you should be redirected immediately to your IdP sign in screen.
4. Enter your IdP details and complete any additional authentication required.

Sign out behaviour for user sessions

Link to this section

Unless you selected the Single logout option in the Kinde connection configuration above, when users sign out of this connection in your app, they are just signing out of Kinde. They are not fully being signed out of Entra ID. It also works this way for social connections, where a third party is the identity provider.

(Optional) Sync Entra ID (SAML) attributes with Kinde

Link to this section

If you want to use additional attributes from Entra ID (SAML), you can sync them from the SAML assertion into Kinde custom user properties using a Post Authentication workflow.

Workflow example: syncAttributesSamlWorkflow.ts

Step 1: Add attribute and group claims to your Entra ID (SAML) app

Link to this section

1. On the Microsoft Entra admin center home screen, go to Enterprise apps and open your application.
2. Select Single sign-on, then select SAML.
3. In the Attributes & Claims section, select Edit.
4. Add the claims you want to send in the SAML assertion (for example: phone_number, user_type, and groups).
5. Make sure the claim Name you configure in Entra ID matches one of the values in the workflow’s samlNames list.
6. Select Save.

Step 2: Create custom user properties in Kinde

Link to this section

1. In Kinde, go to Settings > Data management > Properties.
2. Select Add property and create a User property for each SAML attribute you want to store (for example: phone_number, user_type, groups).
3. Make sure each property key matches the workflow’s kindeKey value for that attribute.
4. If you want these properties to be available in tokens, switch off the Private option for each property.
5. Select Save.

Step 3: Add and deploy the workflow

Link to this section

1. Add the workflow file to your Kinde workflows repository (or copy the example into your existing workflows repo).
2. Create an M2M application and enable the following scope:
   • update:user_properties
3. In Kinde, go to Settings > Environment variables and set:
   • KINDE_WF_M2M_CLIENT_ID
   • KINDE_WF_M2M_CLIENT_SECRET (mark as sensitive)
4. Update the workflow configuration to match your Entra ID claims:
   • samlNames is the list of SAML claim names to look for (what Entra ID sends)
   • kindeKey is the Kinde user property key to write the value into
   • Add new entries to sync additional SAML attributes
   • Set multiValue: true for multi-value claims (for example, groups)

In the example workflow, multi-value claims such as groups are stored as a comma-separated string in the user property.

Step 4: Include the properties in tokens

Link to this section

1. Open the relevant application in Kinde.
2. Select Tokens and scroll to Token customization.
3. Select Customize on the token type you want to update (ID token and/or access token).
4. Select the user properties you created.
5. Select Save.

Access attributes in tokens

Link to this section

Once added via token customization, the values are available under the user_properties claim, for example:

• user_properties > phone_number
• user_properties > user_type
• user_properties > groups