How can we help you?

SSO - Set up enableHR as a service provider on Microsoft Azure Active Directory


This article details the steps that need to be taken within Azure Active Directory before attempting to configure SAML 2.0 SSO setup with enableHR and Azure Active Directory serving as the Identity Provider.

These instructions illustrate how to configure Microsoft Azure Active Directory (AD) as the IdP for enableHR. Please refer to the Azure documentation for additional information about the steps in the Azure portal.

Please Note: Configuring and installing Azure Active Directory is beyond the scope of this guide.

Additionally, this guide is for setting up Azure Active Directory as "Authentication Only" mode in enableHR.


Please ensure that you have the following before you start configuring Azure AD as the IdP:

  • a Premium Azure Active Directory subscription (Premium P1 is the minimum level at which SAML SSO becomes available with non-gallery applications);

  • An Existing instance of Azure Active Directory.


Adding enableHR as a Non-Gallery Application

1.  In the Azure portal, on the left navigation pane, click "Azure Active Directory".

2. Click "Enterprise applications".

3. Click "New application".

4. Click Non-gallery application in the Add an application window.


5.  Type "enableHR".

3Add_your_own_application_-_Microsoft_Azure.png6.  Click "Add".

Configuring SAML SSO in Azure To configure SAML SSO in Azure:

1. In the Azure portal, on the left navigation pane, click "Azure Active Directory".


2. Click "Enterprise applications".


3.  Click the "enableHR" application you added in step 5 above.

4.  Click "Single sign-on".


5.  For "Single Sign-on Mode", choose "SAML-based Sign-on".

For the field "Identifier (Entity ID)" use

For the field "Reply URL (Assertion Consumer Service URL" use

User Attributes - for "User Identifier", select "user.mail".

Select the checkbox "View and edit all other attributes"

Enter the following values and then click "Save".

 Please note: The name of the attribute MUST be exactly as shown below (spaces included). It will cause issues if there are any deviations to the name.



Email / User ID


Name ID


First Name


Last Name



Please see below for a visual reference of how the screen should look like.


6.  Download the Metadata XML file as you will need the contents of this XML in the enableHR settings.



After the Metadata XML is downloaded, it needs to be made available to Client Success team so that we can continue with the rest of the set up on our side.

Additionally, you will need to send enableHR your User Access URL. You can find your User Access URL in the "Enterprise Application" -> "Properties" section (Please see screenshot below)


Once SAML SSO has been configured, we will test the login by getting you to try to login from Azure AD.

Note #1: If you get this screen, try to login once more from enableHR/Office Portal and you will be redirected to the correct screen. This issue only occurs for the first time a user is trying to login via SSO. This is issue is on our bug backlog and will be fixed soon FIXED DECEMBER 2021


Note #2: If you or your users receive this error screen


the Login URL in your enableHR SSO setup page needs to have the correct login URL entered. For example: 


against the enablehr Settings > Account Settings > Security > SSO > Login URL


Have more questions? Submit a request