Setting Up Microsoft Entra ID SAML for Single Sign-On

Configure Microsoft Entra ID (Azure AD) as a SAML identity provider for PlaidCloud Single Sign-On

PlaidCloud supports Single Sign-On (SSO) via SAML 2.0. This guide walks through configuring Microsoft Entra ID (formerly Azure Active Directory) as a SAML identity provider so your organization's users can authenticate through Entra when accessing PlaidCloud.

Prerequisites

  • An active Microsoft Entra ID (Azure AD) tenant
  • An account with one of the following Entra roles: Global Administrator, Cloud Application Administrator, or Application Administrator
  • Contact with PlaidCloud support to coordinate the setup and exchange configuration values

Overview

The setup process involves two parties exchanging SAML metadata:

  1. You configure an Enterprise Application in Entra ID and provide PlaidCloud with your App Federation Metadata URL.
  2. PlaidCloud provides you with the Service Provider (SP) Entity ID and Reply URL (Assertion Consumer Service URL) needed to complete your Entra configuration.

Coordinate with PlaidCloud support to obtain the SP values before completing Step 3 below.

Step 1: Create an Enterprise Application

  1. Sign in to the Azure portal and navigate to Microsoft Entra ID.
  2. In the left sidebar, select Enterprise Applications.
  3. Click + New application.
  4. Click + Create your own application.
  5. Enter a name for the application (e.g., PlaidCloud SSO).
  6. Select Integrate any other application you don't find in the gallery (Non-gallery).
  7. Click Create.

Step 2: Enable SAML-Based Single Sign-On

  1. After the application is created, select Single sign-on from the left sidebar under Manage.
  2. On the "Select a single sign-on method" screen, click SAML.

Step 3: Configure Basic SAML Settings

  1. In the Basic SAML Configuration section, click Edit.
  2. In the Identifier (Entity ID) field, enter the SP Entity ID provided by PlaidCloud.
  3. In the Reply URL (Assertion Consumer Service URL) field, enter the ACS URL provided by PlaidCloud.
  4. Click Save.

Step 4: Configure Attributes and Claims

By default, Entra will pass the user's email address and name in the SAML assertion. If your PlaidCloud configuration uses security group assignments from SSO, you should also include group claims.

Add Group Claims

  1. In the Attributes & Claims section, click Edit.
  2. Click + Add a group claim.
  3. Choose Groups assigned to the application (recommended to limit token size).
  4. Under Source attribute, select an appropriate value:
    • Group ID — passes the Azure Object ID (UUID) of the group
    • Cloud-only group display names — passes the human-readable group name (for cloud-only groups)
    • sAMAccountName — passes the on-premises group name (for hybrid/synced environments)
  5. Click Save.

Step 5: Assign Users and Groups to the Application

Only users and groups assigned to the Enterprise Application will be able to authenticate through this SSO configuration.

  1. In the left sidebar, select Users and groups under Manage.
  2. Click + Add user/group.
  3. Select the users or groups that should have SSO access to PlaidCloud.
  4. Click Assign.

Step 6: Retrieve and Send the App Federation Metadata URL

Once the application is configured, locate the Federation Metadata URL and send it to PlaidCloud so the integration can be completed.

  1. Navigate to the Single sign-on page for your Enterprise Application.
  2. Scroll to the SAML Certificates section.
  3. Copy the App Federation Metadata URL.

Send this URL to PlaidCloud support. This is the Entity Descriptor URL that PlaidCloud needs to configure the trust relationship on the identity provider side. Once PlaidCloud receives this URL, the team will complete the Keycloak configuration and notify you when SSO is ready to test.

Testing the Integration

After PlaidCloud confirms the configuration is complete:

  1. Navigate to your organization's PlaidCloud Workspace (e.g., https://my-workspace.plaid.cloud).
  2. You will be redirected to the Microsoft login page.
  3. Sign in with your Entra ID credentials.
  4. Upon successful authentication, you will be redirected back to PlaidCloud.

If you encounter errors, verify that:

  • The SP Entity ID and Reply URL match exactly what PlaidCloud provided
  • The user attempting to log in is assigned to the Enterprise Application
  • The App Federation Metadata URL you sent to PlaidCloud is accessible (not blocked by a firewall or conditional access policy)