Creating a provider: Entra
Step 0: Domain verification
Before creating a provider, make sure you've added your domain in Claras.
Step 1: Register an Enterprise application
Open up the Microsoft Entra admin dashboard. Navigate to, or search for, "Enterprise applications" and click the + New Application button.
Step 2: Choose to create your own application
You'll be using the custom enterprise application setup for Claras.
Step 3: Fill in application details
In the modal titled Create your own application, enter a display name for Claras. This is the name your users see when signing in to Claras from Entra. Claras is probably a good choice.
Make sure to choose the third option: Integrate any other application you don't find in the gallery (Non-gallery).
Step 4: Set up single sign-on
In the side bar, navigate to Manage > Single sign-on and select SAML.
In a separate tab, open Claras and navigate to Settings > SSO. Click Download SAML Metadata File.
Back in Entra, upload this metadata file.
All of the correct information should automatically populate the Basic SAML Configuration screen. The only additional item to add is the Relay State. This allows users to login with a single click using the User access URL - which is what's used in the Office 365 application launcher. For this url, provide the following value:
https://claras.ai/login/sso
Leave the Sign on URL blank. The Basic SAML Configuration should look like the screenshot below. Be sure to save your changes.
You may be asked to test Single Sign-on. Select No, I'll test later.
Step 5: Create the provider in Claras
Copy the App Federation Metadata URL found on step 3 of the Single sign-on page.
Open up Claras and on the SSO page, click New Provider. Set a name such as "Entra" and paste the Metadata URL you just copied. Leave the Enable SSO and Enable SCIM toggled off for now, and click Create Provider.
If everything is setup correctly, you should see a green confirmation toast. If you encounter any errors, please double check you've followed all the steps above correctly, and reach out to our team via the support chat.
Step 5: Attribute Mapping
Before you enable SSO, we need to setup attribute mapping. This is required for Claras to know where to look for key user data. Please note the SSO auth flow will fail if this is not setup.
Still in Claras, click the three dots next to your new provider and select Edit. You will see three values under Attribute Mapping. While you can change these, we recommended leaving them as is.
Back in Entra on the Single Sign-on page, click the edit button next to step 2 Attributes & Claims.
There may be some Additional claims already setup. Delete all the Additional claims using the three dot menu. Your page should then look like this:
Create three new Additional claims using the + Add New Claim button. Here is a table for reference:
| Claras Value | Entra Attribute Name | Entra Source Attribute | Entra User Property |
|---|---|---|---|
| emailaddress | emailaddress | user.userprincipalname | User principal name |
| givenname | givenname | user.givenname | Display name |
| surname | surname | user.surname | Last name |
The Entra Attribute Name must match the Claras Value. The Entra User Property is what the Entra Source Attribute typically maps to when editing a user profile in Entra. You can leave the Namespace blank.
Once done, the Attributes & Claims page should look like this:
If you changed the values in Claras, be sure to save them by clicking Update Provider. Otherwise it should all be good to go.
Step 6: Set the provider properties
In the Entra enterprise application navigate to Manage > Properties. You can download this image and use it as the logo.
Decide whether assignment is required for users to access the application. Either option will work with Claras. Be sure to check out the Frequently Asked SSO Questions for more information on the expected behaviour of each.
Make sure to save your changes.
Step 7: Enable SSO in Claras
If you have existing users in your Claras account, please review the Frequently Asked SSO Questions before enabling SSO. Be sure your team are aware of any changes to avoid surprises.
Also make sure your domains are verified. Enabling a provider without a verified domain will cause logins to fail.
Once you're ready to go live, head back to the SSO page in Claras and edit the provider. Toggle on Enable SSO, and click Update Provider. The provider will then show a green enabled badge, and your verified domains will also become active. Users will now be able to login using their Microsoft account via the User access URL, the Office 365 application launcher, or via the normal login page in Claras.
As an admin of the enterprise application, you should be able to test the login flow yourself even without being assigned.
Next steps
Now your SSO provider is enabled, you can choose to manually grant users access via the "Users and groups" tab, or setup ahead of time provisioning using SCIM. Also be sure to checkout the Frequently Asked SSO Questions for more tips and guidance.
Updated on: 12/05/2025
Thank you!