• Semgrep AppSec Platform
• SSO

SAML SSO with Microsoft Entra ID

This article describes how to set up SAML Single Sign-on for Semgrep AppSec Platform with Microsoft Entra ID.

Prerequisites

• An existing Microsoft Entra ID account.
• Sufficient permissions within Microsoft Entra ID to create enterprise apps. See Microsoft Entra ID roles.
• Admin privileges for your Semgrep deployment.

Setting up SAML SSO using Microsoft Entra ID consists of the following general steps:

1. Create a custom enterprise app within Microsoft Entra ID.
2. Set up SAML SSO for your new enterprise app.
3. Configure Semgrep.
4. Add users to your new enterprise app.

Configure SSO

Guided setup (beta)

1. Sign in to Semgrep AppSec Platform.
2. Go to Settings > Access > Login methods.
3. In the Single sign-on (SSO) section, provide a valid Email domain, then click Initialize.
4. The Configure Single Sign-On dialog appears to guide you through the remaining configuration steps. Begin by selecting Entra ID (Azure AD) SAML.
5. Follow the instructions provided on the subsequent Configure Single Sign-On dialog pages to complete this process. When you've completed the required steps, use Test sign-in to test the connection.
6. Once test sign-in has passed, close the test page. Verify that the Connection details shown on the Connection activated screen are correct and close the dialog.
7. Verify that the Connection status is now active under the Single sign-on (SSO) section in Semgrep AppSec Platform.
8. To use the new connection, log out of Semgrep, then log back in using SSO.

Legacy manual configuration

Create a custom enterprise app

1. Sign in to the Microsoft Entra admin center.
2. Use the search bar to find and navigate to enterprise applications.
3. Click New application > Create your own application. A menu appears.
4. Name your new application something like Semgrep SAML.
5. Select Integrate any other application you don't find in the gallery (non-gallery).
6. Click Create. This takes you to your new enterprise application's page.

You have now created a custom enterprise app for Semgrep to integrate with Microsoft Entra ID. This enables you to set up SAML SSO.

Set up SAML SSO for your new enterprise app

1. From your new enterprise app's page, go to Single-sign on > SAML.
2. When prompted to Select a single sign-on method, select SAML. You are redirected to the SAML-based Sign-on page.
3. In the Basic SAML Configuration section, click Edit. Provide the Entity ID and Reply URL. You can retrieve these values from Semgrep AppSec Platform by performing the following steps:
   1. Sign in to Semgrep AppSec Platform.
   2. Navigate to Settings > Access > Login methods.
   3. Click Add SSO configuration and select SAML2 SSO.
   4. Copy the Audience URL (SP Entity ID) value from Semgrep AppSec Platform. Return to Basic SAML Configuration. Click Add identifier to paste this value as the Identifier (Entity ID).
   5. Copy the SSO URL value from Semgrep AppSec Platform. Return to Basic SAML Configuration. Click Add reply URL to paste this value as the Reply URL (Assertion Consumer Service URL).
4. Click Save and close out of Basic SAML Configuration.
5. In the Attributes and Claims section, click Edit. You must add two claims. To add your first claim:
   1. Click Add new claim.
   2. Enter name in the Name field.
   3. For the Source attribute drop-down box, select user.displayname.
   4. Click Save.
6. To add your second claim:
   1. Click Add new claim.
   2. Enter email in the Name field.
   3. From the Source attribute drop-down box, select user.mail.
   4. Click Save.
7. Close out of Attributes & Claims.

Configure Semgrep

1. Navigate to Semgrep AppSec Platform, and provide the values required by the SAML2 form:
   1. Provide the Display name and the Email domain you are using for the integration.
   2. Copy the Login URL value from Microsoft Entra ID and paste it in into Semgrep AppSec Platform's IDP SSO URL field.
   3. Copy and paste the Microsoft Entra ID Identifier value into Semgrep AppSec Platform's IdP Issuer ID field.
   4. In Entra ID's SAML-based Sign-on page, click Download to obtain the Certificate (Base64).
   5. In Semgrep AppSec Platform, under Upload/Paste certificate, click Browse and then select the certificate you downloaded.
2. Select the box next to This SSO supports non-password authentication mechanisms (e.g. MFA, X509, PasswordLessPhoneSignin) if applicable.
3. Click Save to proceed.

Add users to your new enterprise app

To add users to the application in so they can log in with their domain emails, refer to Assign users and groups to an application.

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.