Skip to content

You are viewing documentation for Immuta version 2.8.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Azure Active Directory

Audience: Application Admins

Content Summary: Immuta can integrate with Azure Active Directory as an IAM over SAML 2.0. This page outlines how to register Immuta as an Azure Enterprise Application with Single Sign-On over SAML 2.0.

Create an Enterprise Application

Azure Subscription

Azure requires a Premium subscription to create a non-gallery application, which is essential for this integration.

  1. In the Azure portal, browse to Enterprise Applications.

  2. Click the New Application button.

  3. Click the Non-Gallery Application tile, name the application with the name of your choice, and click Add:

    add enterprise application

  4. On the left menu, choose the Single sign-on menu item and then pick the SAML tile:

    SSO with SAML

  5. In the first section (Basic SAML Configuration), click the Edit icon and fill in Identifier (Entity ID) field with the full URI of your Immuta app (e.g.,

  6. In the second section (User Attributes & Claims), specify the unique user identifier you want to use in Immuta. Common choices are the email claim or the userprincipalname claim. You can also specify the user claims you want Azure to expose to Immuta. You will use the names of those claims to map them to Immuta user attributes when you create an IAM.

  7. In the third section (SAML Signing Certificate), click the Download link next to Certificate (Raw) and save the file on your hard drive:

    Download the cert

  8. In the fourth section, copy the Login URL and save it for when you will create the IAM through the Immuta UI.

Now that you have an enterprise application in place, continue to create and configure an IAM in Immuta. You will need a few details from the Immuta UI to complete the configuration of the enterprise application.

Create an IAM

  1. In Immuta, browse to App Settings, go to the Identity Managers section, and click Add IAM

    Add IAM

  2. Assign a name to the new IAM. Immuta will automatically derive the ID of the IAM from the name you pick.

  3. Select SAML in the Identity Provider Type drop-down.

  4. Start configuring the new IAM:

    • Default Permissions: The default permission that should be assigned to an Azure Active Directory user in Immuta.
    • Issuer: This field needs to have the same value as the Identifier (Entity ID) of the enterprise application (e.g.,
    • Entry Point: Paste the Login URL that you obtained in the previous section. This URL adheres to the following format:${APPPLICATION_OBJECT_ID}/saml2, where ${APPPLICATION_OBJECT_ID} is a unique ID assigned to your Azure enterprise application.
    • Attribute delimiter: Used to split multi-value attributes (e.g., for comma-separated list values, this field should read ,).
    • Signing Certificate: Upload the certificate file you have previously downloaded and converted into a PEM encoded certificate.
    • Profile Schema: Map user claims you have previously exposed in the application to Immuta user attributes.
    • Sync groups from SAML to Immuta: Check this checkbox if you would like Immuta to consume groups from Azure Active Directory.

    Before you can test the integration and save the new IAM, you will need to go back to the Azure Portal and fill in the Reply URL.

  5. In the Single sign-on page of your enterprise application, edit the first section with the title Basic SAML Configuration.

  6. Fill in the Reply URL (Assertion Consumer Service URL) field with a value that adheres to the following format: ${IMMUTA_URL}/bim/iam/${IAM_ID}/user/authenticate/callback. For example, if the URL to your Immuta instance is and the assigned IAM ID is AzureAD, the value of the Reply URL field should be To save the changes, click Save:

    Basic YAML config

    Finding the assigned IAM ID

    You can find the IAM ID that Immuta has assigned to the IAM in the form:

    Configure SAML-based sign-on

  7. You should now be able to test the IAM and save it. After clicking Test Connection and letting Immuta hit the enterprise application URL, you will need to verify that the authentication flow works before you can save and create the IAM. To do so, click Test User Login and follow the instructions.

Test user login

  1. Save the changes in Immuta.