# Azure Active Directory (Entra ID) SSO
Squadcast supports SAML 2.0-based Single Sign-On (SSO) login for Azure Active Directory (Entra ID) users. You can integrate your Squadcast Organization with your Azure Active Directory (Entra ID) SSO by following this integration guide.
### Pre-requisites
1. Account Owner / Administrator account in Squadcast
{% hint style="info" %}
**Point to Note:**
1\. Only an Administrator / Account owner can enable and configure Azure Active Directory SSO for an Organisation in Squadcast.\
\
2\. Once enabled, only the Account Owner can use email-password-based login **by default** although, it can be configured to enable email-password-based login for Administrators as well.
{% endhint %}
### Setup Guide
1\. Login to `app.squadcast.com` and navigate to **Settings** > **Extensions**. Click the **Configure** button under SSO
2\. In the opened modal, select the **Custom SAML 2.0** tab and click **Show configuration guide for Custom SAML 2.0**
As given in the displayed guide, copy the **ACS URL** shown in point 1
3\. Then, go to your Azure Active Directory (Entra ID) dashboard and click on **Enterprise applications** from the left navigation
4\. Click on **Create your own application** to create an application for Squadcast
5\. In the side panel, give a name for the application (such as Squadcast), select **Non-gallery Application**, and click on **Create.**
6\. For the newly created app, in the left pane under **Manage**, select **Users and groups**
Now, click on **Add user**
7\. Find and add the users you want to, along with the appropriate **Role**
8\. In the left pane under **Manage**, click **Single sign-on** and select **SAML**
9\. Edit the **Basic SAML Configuration** section
In both, the **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL)** placeholders, paste the **ACS URL** you copied previously from Squadcast here
10\. Next, edit the **User and Attributes Claims** section
Remove the *namespace* and use:
* `first_name` for source attribute `user.givenname`
* `email` for `user.mail`
* `last_name` for `user.surname`
  
11\. Click on the **Edit** icon in the **SAML Signing Certificate** section
Here, **download the PEM certificate**
12\. From under the **Setup Squadcast** section, copy the **Login URL**
13\. Back in Squadcast, in the previously opened modal:
* Paste the copied **Login URL** in the placeholder for **SAML 2.0 Endpoint**
* Copy the contents of the **PEM Certificate** in the placeholder for **X.509 Certificate**
* Enter the domain name of your Organization
{% hint style="info" %}
**Note:**
Make sure to add the **Domain Name** of your Organization, for SSO login to work
{% endhint %}
* Provisioning new users can default to a particular `User Role` from the drop-down
* You can allow the `Account Owner` to also log in using their email credentials in addition to SSO. This can be done by checking the boxes for those options
* You can simply *provision new users on their first log in* by enabling the checkbox for the same
Once all of this has been configured based on your requirements, click on **Save**
14\. That’s it, your configuration is now complete!
For testing this SSO integration and if it's working as expected, go back to the Azure Active Directory SSO portal, and click on **Test**
Then, click **Sign in as a current user** to verify your login to Squadcast!
15\. Activate this SSO integration by *enabling the toggle*
{% hint style="info" %}
If you want to sync user removal between Azure AD (Entra ID) and your Squadcast organisation, you need to enable this checkbox. Whenver a user is removed in Azure AD (Entra ID), that user will be removed removed from Squadcast as well.
If you want Squadcast to only consider a certain Group in Azure AD (Entra ID), then add the specific Group ID. If this is not entered, and the checkbox is enabled, all users in Azure AD (Entra ID) will be checked for syncing and removal.
**Important:** This will also require the Microsoft Teams bot to have Admin permissions.
{% endhint %}
16\. To login to Squadcast via Azure Active Directory SSO from here on, **within your Office 365 account, click on App Launcher, click on All Apps and you will be able to see Squadcast** there. Unless you have enabled email-password-based login for your User Role, you will not be able to login to Squadcast using email-password from our web app[ login page](https://app.squadcast.com/).
{% hint style="info" %}
**Logging in from the Squadcast mobile app when Azure AD SSO is enabled:**
The user needs to first access and log in to [myapplications.microsoft.com](https://myapplications.microsoft.com/) in the mobile browser. Here, they will be able to see the configured SSO (for Squadcast, as shown in the screenshot below). They can simply click on the icon to *log in*.
{% endhint %}
{% hint style="warning" %}
**Important:**
1. We do not support the provisioning and syncing of **Groups** from Azure AD (Entra ID) SSO into Squadcast. We support this only for **Users**.
2. To login to the Squadcast web app when Azure AD SSO is enabled, users can use **My Apps Secure Sign-in Extension** for easy login.
{% endhint %}
*Have any questions?* [*Ask the community*](https://community.squadcast.com/view/home)*.*
{% endhint %}
16\. To login to Squadcast via Azure Active Directory SSO from here on, **within your Office 365 account, click on App Launcher, click on All Apps and you will be able to see Squadcast** there. Unless you have enabled email-password-based login for your User Role, you will not be able to login to Squadcast using email-password from our web app[ login page](https://app.squadcast.com/).
{% hint style="info" %}
**Logging in from the Squadcast mobile app when Azure AD SSO is enabled:**
The user needs to first access and log in to [myapplications.microsoft.com](https://myapplications.microsoft.com/) in the mobile browser. Here, they will be able to see the configured SSO (for Squadcast, as shown in the screenshot below). They can simply click on the icon to *log in*.
{% endhint %}
{% hint style="warning" %}
**Important:**
1. We do not support the provisioning and syncing of **Groups** from Azure AD (Entra ID) SSO into Squadcast. We support this only for **Users**.
2. To login to the Squadcast web app when Azure AD SSO is enabled, users can use **My Apps Secure Sign-in Extension** for easy login.
{% endhint %}
*Have any questions?* [*Ask the community*](https://community.squadcast.com/view/home)*.*