# SSO Setup (Microsoft Entra / Azure AD)
Configure SAML 2.0 single sign-on between Microsoft Entra and Vrex
This page covers SAML 2.0 SSO setup between Microsoft Entra (Azure AD) and Vrex. Other identity providers (Okta, Google Workspace, etc.) are supported — contact [admin@vixel.no](mailto:admin@vixel.no) for guidance on those.

## Prerequisites

- Microsoft Entra access with rights to create enterprise applications
- Permission to manage your organisation's domain configuration
- A Vrex account or a contact at Vrex

## Step 1: Create a new enterprise application

1. Go to the [Microsoft Entra admin portal](https://entra.microsoft.com)
2. Navigate to **Enterprise Applications → New Application**
3. Select **Create your own application**
4. Name it **Vrex** (or **Vrex SSO**)
5. Choose **Integrate any other application you don't find in the gallery (Non-gallery)**
6. Click **Create**

## Step 2: Configure SAML

1. In the new application, go to **Single sign-on**
2. Select **SAML** as the sign-on method
3. Click **Edit** on the Basic SAML Configuration section
4. Enter the following values — use copy/paste to avoid typos:

| Field | Value |
|-------|-------|
| Identifier (Entity ID) | `urn:amazon:cognito:sp:eu-central-1_FRYkSJ41S` |
| Reply URL (ACS URL) | `https://auth.vrex.no/saml2/idpresponse` |

5. Save the configuration

## Step 3: Claims mapping

Under **Attributes & Claims**, click **Edit**. Confirm the following claims are present, or add them manually:

| Claim name | Value |
|------------|-------|
| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | `user.mail` |
| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname` | `user.givenname` |
| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` | `user.surname` |
| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/userid` | `user.userprincipalname` |

`email` is required. The name claims are strongly recommended for user display in sessions.

## Step 4: Send to Vrex

1. In the SAML configuration overview, copy the **App Federation Metadata URL**
2. Email the following to [admin@vixel.no](mailto:admin@vixel.no):

```
Subject: SSO Setup — [Your Company Name]

Company name:
SSO app name:
Federation Metadata URL:
Email domain (e.g. company.com):
```

Vrex will configure their system to trust your Entra identity provider and confirm by reply. Expect a response within one business day.

## Step 5: Enable SSO in Vrex admin

After Vrex confirms the configuration is active:

1. Log in to the **Vrex Client Admin Panel**
2. Go to **App Clients → [Your Client App] → Edit managed login page configuration**
3. Enable the new identity provider (it will appear as `yourcompany-Entra` or similar)

Your users can now sign in to Vrex with their Entra credentials. Accounts are created automatically on first login — no manual licence assignment needed.

## Troubleshooting

| Symptom | Check |
|---------|-------|
| Login redirects back without signing in | Verify Entity ID and ACS URL are entered exactly — no trailing spaces |
| "User not found" after redirect | Confirm the `email` claim is mapped and the address matches a Vrex-enabled domain |
| SAML assertion error | Check that the Federation Metadata URL is the **App** Federation Metadata URL, not the directory-level URL |
| SSO option not appearing in Vrex login | Step 5 may not be complete — check the admin panel |
| Works for some users, not others | Confirm those users are assigned to the enterprise application in Entra |

Still stuck? Email [admin@vixel.no](mailto:admin@vixel.no) with a description and any error messages.