Register Elastic Cloud SAML in Microsoft Entra ID

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

To configure Elastic Cloud SAML SSO with Microsoft Entra ID (formerly Azure AD) as the identity provider (IdP):

Create a new Entra ID Enterprise application.
1. Choose to create a non-gallery application.
2. Provide a name and basic information about the application.
3. Select SAML as the single sign-on method.
4. Initially use placeholder values for the entity ID, reply or assertion consumer service (ACS) URL, and sign on URL.
5. Configure an email attribute in the Attributes & Claims section.
  
  Optionally set firstName to user.givenname and lastName to user.surname. These values will be used to set the respective fields of the user’s Elastic Cloud account. For example:
Collect information about the application from the Entra ID screen.
1. Get the "Login URL" for the SSO URL, which is the URL where users will be redirected at login.
2. Get the "Microsoft Entra Identifier" for use as the issuer.
3. Download the signing certificate.

For example:

curl -XPUT \
-H 'Content-Type: application/json' \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/idp" \
-d '
{
  "enabled": true,
  "login_identifier_prefix": "<businessname>", 
  "name": "SSO with <businessname>",
  "saml_idp": {
    "public_certificate": [ 
      "<publiccert>"
    ],
    "issuer": "<issuer>", 
    "sso_url": "<ssourl>", 
    "subject": {
      "format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
    }
  }
}
'

	`login_identifier_prefix` is a customizable piece of the Elastic Cloud SSO url that your organization members can use to authenticate. This could be the name of your business. You can use alphanumeric characters and hyphens in this value and you can change it later.
	`public_certificate` is the Base64-encoded DER-encoded certificate that you downloaded. You must remove newlines and any PEM markers (such as `-----BEGIN CERTIFICATE-----` or `-----END CERTIFICATE-----`) so that the certificate is a single-line Base64-encoded string.
	`issuer` is the "Microsoft Entra Identifier" obtained from the Entra ID screen.
	`sso_url` is the "Login URL" obtained from the Entra ID screen.
	`format` is the SAML name-id format to use.

If successful, the API will return the details that will need to be provided to the IdP. For example:

{
	"login_identifier": "<loginidentifier>",
	"sso_login_url": "https://cloud.elastic.co/login/sso/<loginidentifier>", 
	"metadata_url": "https://cloud.elastic.co/api/v1/organizations/<orgid>/idp/metadata.xml",
	"acs": "<acs>", 
	"sp_entity_id": "https://cloud.elastic.co/organizations/<orgid>", 
	"signing_certificate": [ 
		"<cert>"
	]
}

	`sso_login_url` is the URL you can provide to organization members to initiate SSO with your Elastic Cloud organization.
	`acs` is the SAML assertion consumer service that your SAML IdP should send SAML assertions.
	`sp_entity_id` is the SAML entity ID of the service provider that your SAML IdP should send in the SAML audience.
	`signing_certificate` is the Base64-encoded DER-encoded certificate that SAML requests to your IdP will be signed with.

Update the Basic SAML Configuration section of the Entra ID Enterprise application to use the values returned by the registration API.
1. Set the entity ID to the sp_entity_id value.
2. Set the reply or ACS URL to the acs value.
3. Set the sign on URL to the sso_login_url value.
Optionally update the Verification certificates section of the Entra ID Enterprise application to add the certificate returned by the registration API and turn on certificate verification.

When these steps are complete, you should be able to test SSO as described in Configure Elastic Cloud SAML SSO.

« Register Elastic Cloud SAML in Okta Notifications domain allowlist »