Sign in to ComplianceScout with Microsoft Entra ID over SAML 2.0.
Copy these from ComplianceScout → Settings → SSO when you create the connection. The exact, per-connection values are shown there.
urn:guardstream:sp:<tenant_id>Included in the SP metadata below. Most IdPs can import the metadata URL instead of typing this.
https://<your-app-host>/sso/saml/callback/<connectionId>https://<your-app-host>/sso/saml/metadata/<connectionId>Contains the SP entity ID, ACS URL, and SP certificate. Import this into your IdP when it supports metadata import — it is the least error-prone path.
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressConfigure your IdP to send the user's email address as the NameID. ComplianceScout rejects any other NameID format.
Steps verified against the vendor documentation linked at the bottom of this page. Labels can change — that link is the source of truth.
Sign in to the Microsoft Entra admin center (entra.microsoft.com) as at least a Cloud Application Administrator.
Go to Entra ID → Enterprise apps → All applications, and select New application.
Select Create your own application. Name it (for example, ComplianceScout), choose "Integrate any other application you don't find in the gallery (Non-gallery)", and select Create.
In the app, open Single sign-on and select SAML.
In Basic SAML Configuration, select Edit. Either Upload metadata file (ComplianceScout's SP metadata XML), or enter manually: Identifier (Entity ID) = urn:guardstream:sp:<tenant_id> and Reply URL (ACS URL) = the ACS URL shown in ComplianceScout. Because ComplianceScout is SP-initiated, set Sign on URL to your ComplianceScout login URL. Save.
In Attributes & Claims, select Edit, open the Unique User Identifier (Name ID) claim, set Source attribute to user.mail (or user.userprincipalname), and set the name-identifier format to Email address.
In SAML Certificates, copy the App Federation Metadata Url (or download Certificate (Base64)). If your ComplianceScout connection also requires the response signed, use Edit → Signing Option = "Sign SAML response and assertion".
In the Set up <app> section, record Microsoft Entra Identifier (IdP Entity ID) and Login URL (IdP SSO URL).
Under Users and groups, assign the users/groups that should be able to sign in.
Back in Settings → SSO, paste these into the connection and save.
https://sts.windows.net/<tenant-guid>/https://login.microsoftonline.com/<tenant-guid>/saml2Copy the exact Login URL the portal shows for your tenant.
Certificate (Base64), or the App Federation Metadata UrlIn Attributes & Claims select Add a group claim, choose Security groups (or Groups assigned to the application), and Save. Entra emits group object IDs (GUIDs) by default, so map those GUIDs to roles in ComplianceScout (or configure name emission where your directory supports it).
ComplianceScout treats the SAML authentication-context value http://schemas.microsoft.com/claims/multipleauthn as an MFA signal. Enable "Trust IdP for MFA" in ComplianceScout to honor it, and confirm your Entra Conditional Access / sign-in policy actually requires MFA so Entra emits that value. (Entra does not use a standard MultiFactor AuthnContextClassRef.)
Configure the connection in Settings → SSO, then test sign-in before rolling it out to your team.