Microsoft Entra SSO Setup Guide
This guide explains how to set up a SAML integration through Microsoft Entra ID to access Unwrap. You will need to create two applications: one for the actual SAML integration with Unwrap and a non-gallery application that gives users an IdP-initiated login experience from Microsoft.
Prerequisites
- Administrative access to your Microsoft Entra ID tenant
- Cloud Application Administrator, Application Administrator, or Global Administrator role
- Contact with your Unwrap representative for configuration details
Step 1: Create Enterprise Application
- Sign in to the Microsoft Entra admin center
- Navigate to Identity > Applications > Enterprise applications
- Click New application
- Click Create your own application
- Enter an application name (e.g., "Unwrap SAML")
- Select Integrate any other application you don't find in the gallery
- Click Create
Step 2: Configure SAML Settings
- In your newly created application, navigate to Single sign-on
- Select SAML as the single sign-on method
Basic SAML Configuration
Click Edit on the Basic SAML Configuration section and configure:
- Identifier (Entity ID):
[Provided by Unwrap team] - Reply URL (Assertion Consumer Service URL):
[Provided by Unwrap team] - Sign on URL: Leave empty
- Relay State: Leave empty
- Logout URL: Leave empty
Click Save
User Attributes & Claims
Verify these claims are present (defaults should work):
| Claim Name | Source Attribute |
|---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.mail |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.givenname |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.surname |
Step 3: Hide SAML Application from End Users
Since users will access Unwrap through the non-gallery application (created in Step 5), hide the SAML application from end users:
- Go to Properties
- Set Visible to users? to No
- Set User assignment required? to Yes
- Click Save
Step 4: Get Federation Metadata for Unwrap
Unwrap needs your SAML federation metadata to complete the integration:
- In the SAML configuration, scroll to SAML Certificates section
- Copy the App Federation Metadata Url, OR
- Click Download next to Federation Metadata XML and save the file
Important: Provide either the metadata URL or XML file to your Unwrap contact.
Step 5: Create Non-Gallery Application (Required)
This provides users with an IdP-initiated login experience from Microsoft:
- Navigate back to Identity > Applications > Enterprise applications
- Click New application > Create your own application
- Enter an application name (e.g., "Unwrap")
- Select Integrate any other application you don't find in the gallery
- Click Create
- Go to Properties and configure:
- Visible to users?: Yes
- User assignment required?: Yes
- Homepage URL:
[SP-initiated login URL will be provided by Unwrap team]- Format:
https://app.unwrap.ai/login/sso?iss=[your-domain]&tenant=[tenant-name]
- Format:
- Click Save
Add Unwrap Logo
- Click the application image placeholder
- Download and upload the Unwrap logo: Unwrap Logo
Step 6: Assign Users and Groups
- For both applications (SAML and Non-Gallery), navigate to Users and groups
- Click Add user/group
- Assign appropriate users or groups who should have access to Unwrap
- Click Assign
Next Steps
- Send federation data: Provide the App Federation Metadata URL or XML file from Step 4 to your Unwrap contact
- Wait for deployment: Unwrap will configure the integration on their end
- Access Unwrap: Once deployed, users can access Unwrap through the non-gallery application from Microsoft 365 app launcher
Important Notes
- Both SSO and traditional username/password authentication will continue to work after setup
- The SAML application is hidden from end users; they will only see the non-gallery app
- The non-gallery app URL will only function after Unwrap completes the backend configuration
- Both applications are required for proper SSO functionality
- Users must be assigned to both applications