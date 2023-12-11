Create a recycling bin for logging and restoring deleted documents
Configure and enable SSO authentication in your Sanity instance using the SAML protocol and Microsoft Azure AD as an identity provider (IdP.)
During the setup and configuration process, it's a good idea to keep two windows side by side:
Go to Sanity Manage and select the organization you want to enable SSO for.
To navigate to the service provider configuration inside Sanity Manage:
To navigate to the identity provider configuration in Azure:
In Enterprise applications:
If you're keeping two browser tabs or windows open side by side, now you should have one on the configuration screen inside Sanity Manage, and the other on the configuration screen in Azure.
Now, configure Azure to send the claims that Sanity requires in the expected form.
The claims (attributes) that Sanity expects are listed inside Sanity Manage:
For each claim:
Once all claims have been added:
Sanity requires
user.firstName and
user.surname. The mapping in the example replaces both fields with
user.displayname.
Enterprise customers can map user identity provider roles to service provider roles. For example, users with an Azure
example-azure-user-role role are mapped to the Sanity
viewer role when they log in.
groups claim with the format set to
unspecified.
In Azure, add a new group claim:
Select the groups that you want Azure to send to Sanity, and assign the group claim a descriptive name:
Once you're done, save the changes.
In Azure, browse to the
Set up {application name} block:
Get the Azure URLs for login and authentication, and add them to the Your Identity Provider details configuration section inside Sanity Manage:
In this scenario:
In the SAML specification,
InResponseTo is defined as
The ID of a SAML protocol message in response to which an attesting entity can present the assertion.
This setting is identity provider-specific. Azure doesn’t support it. Therefore, ensure that Enable InResponseTo is deselected/disabled.
The Signed SAML Assertion option notifies the Sanity instance that the identity provider is configured to use the signing certificate found in the Sanity service provider details section.
This is an optional step configured in Verification certificates:
Unless you have already uploaded the certificate, leave the Want assertion signed deselected under Signed SAML Assertion.
To get an X.509 certificate:
Ensure you save all changes inside Sanity Manage and in Azure.
