Microsoft Entra SSO Setup Guide

Last updated: March 19, 2026

This guide explains how to set up a SAML integration through Microsoft Entra ID to access Unwrap. You will need to create two applications: one for the actual SAML integration with Unwrap and a non-gallery application that gives users an IdP-initiated login experience from Microsoft.

Prerequisites

  • Administrative access to your Microsoft Entra ID tenant

  • Cloud Application Administrator, Application Administrator, or Global Administrator role

  • Contact with your Unwrap representative for configuration details

Frequently Asked Questions

1. How will trust information be shared?

We exchange SAML metadata. You provide us your Federation Metadata XML URL from Entra. In return, we provide you with an ACS (Assertion Consumer Service) URL and Entity ID (Audience URI) specific to your organization.

2. What assertion are you expecting as Name ID?

We accept the default/unspecified Name ID format. User identity is determined through explicit attribute statements rather than the Name ID value.

3. What other assertions are required?

Three attribute statements are required:

Attribute Claim | Expected Value

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.mail

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.surname

4. Are there group attribute requirements?

No. We do not require or consume group attributes from the SAML assertion.

5. Do you support IDP or SP initiated login?

SP-initiated only. Users can either:

  • Navigate directly to https://app.unwrap.ai/login/sso?iss=[domain]&tenant=[name]

  • Click a bookmark app tile in the Entra My Apps portal, which redirects through our SP-initiated flow

6. How will new users be managed?

Just-In-Time (JIT) provisioning. When a user authenticates via SSO for the first time, their Unwrap account is automatically created. No manual user creation or file import is needed — users must come through the identity provider.

7. Can we enforce SSO-only login?

Yes. SSO customers are configured so that only the SAML identity provider is accepted as a sign-in method. Username/password and other authentication methods are not available for SSO-enabled organizations.

8. What is your default token lifetime?

  • Access token: 1 hour

  • ID token: 1 hour

  • Refresh token: 30 days

Setup Instructions

Step 1: Create Enterprise Application

  1. Sign in to the Microsoft Entra admin center

  2. Navigate to Identity > Applications > Enterprise applications

  3. Click New application

  4. Click Create your own application

  5. Enter an application name (e.g., "Unwrap SAML")

  6. Select Integrate any other application you don't find in the gallery

  7. Click Create

Step 2: Configure SAML Settings

  1. In your newly created application, navigate to Single sign-on

  2. Select SAML as the single sign-on method

Basic SAML Configuration

Click Edit on the Basic SAML Configuration section and configure:

  • Identifier (Entity ID): [Provided by Unwrap team]

  • Reply URL (Assertion Consumer Service URL): [Provided by Unwrap team]

  • Sign on URL: Leave empty

  • Relay State: Leave empty

  • Logout URL: Leave empty

Click Save

User Attributes & Claims

Verify these claims are present (defaults should work):

Claim NameSource Attribute

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

user.mail

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

user.givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

user.surname

Step 3: Hide SAML Application from End Users

Since users will access Unwrap through the non-gallery application (created in Step 5), hide the SAML application from end users:

  1. Go to Properties

  2. Set Visible to users? to No

  3. Set User assignment required? to Yes

  4. Click Save

Step 4: Get Federation Metadata for Unwrap

Unwrap needs your SAML federation metadata to complete the integration:

  1. In the SAML configuration, scroll to SAML Certificates section

  2. Copy the App Federation Metadata Url, OR

  3. Click Download next to Federation Metadata XML and save the file

Important: Provide either the metadata URL or XML file to your Unwrap contact.

This provides users with an IdP-initiated login experience from Microsoft:

  1. Navigate back to Identity > Applications > Enterprise applications

  2. Click New application > Create your own application

  3. Enter an application name (e.g., "Unwrap")

  4. Select Integrate any other application you don't find in the gallery

  5. Click Create

  6. Go to Properties and configure:

  7. Visible to users?: Yes

  8. User assignment required?: Yes

  9. Homepage URL: [SP-initiated login URL will be provided by Unwrap team]

    • Format: https://app.unwrap.ai/login/sso?iss=[your-domain]&tenant=[tenant-name]

  10. Click Save

  1. Click the application image placeholder

  2. Download and upload the Unwrap logo: Unwrap Logo

Step 6: Assign Users and Groups

  1. For both applications (SAML and Non-Gallery), navigate to Users and groups

  2. Click Add user/group

  3. Assign appropriate users or groups who should have access to Unwrap

  4. Click Assign

Next Steps

  1. Send federation data: Provide the App Federation Metadata URL or XML file from Step 4 to your Unwrap contact

  2. Wait for deployment: Unwrap will configure the integration on their end

  3. Access Unwrap: Once deployed, users can access Unwrap through the non-gallery application from Microsoft 365 app launcher

Important Notes

  • The SAML application is hidden from end users; they will only see the non-gallery app

  • The non-gallery app URL will only function after Unwrap completes the backend configuration

  • Both applications are required for proper SSO functionality

  • Users must be assigned to both applications