Single sign-on with Azure

Microsoft Entra ID is Microsoft's cloud-based directory and identity management service that you can integrate with Split's SAML 2.0 API to allow users to log into Split using their single sign-on (SSO) credentials. To learn more about configuring SAML in Split, refer to the Single sign-on overview guide.

Create an enterprise app in Azure

To create an enterprise app in Azure, do the following:

1. From the MS Azure console, enter Enterprise in the top search box and click Enterprise Applications.

2. Click New Application, then Create your own application. The Create your own application page appears.

3. In the What’s the name of your app? field, enter "Split".

4. Select the Integrate any other application you don’t find in the gallery radio button.

5. Click Create.

Configure enterprise app for SSO

Once the application is added, you can add users and set up SSO by doing the following:

1. Click the Assign Users and Groups link, and then Add user/group to add the users or groups that will use Split.

2. Under Manage, click Single sign-on.

3. Click SAML.

4. In the Basic SAML Configuration view, click Edit.

5. In both the Identifier and Reply URL fields, enter https://www.placeholder.split.io and click Save.

6. In the SAML Certificates box, click to download the SSO Federation Metadata XML. Note where you save the XML file.

Configure Split

Note: You need to be a Split administrator to configure SAML.

To configure Split SSO, do the following:

1. Navigate to the Split user interface and in the left navigation, click the user's initials at the bottom and select Admin settings.
2. Under Organizational settings, select Security. The Security page appears.
3. In the SAML tab, copy and paste the XML file contents into the Identity provider (IdP) metadata field.
4. Depending on your needs, select either SAML Strict Mode or Just-In-Time Provisioning (JIT) and click Save.

Note: For more information on SAML Strict Mode or JIT, refer to Adding SAML/SSO users guide.

A message displays indicating that the SAML is enabled. This gives you the proper information to place in the Identifier and Reply URL from the Basic SAML Configuration box that you first filled in with https://placeholder.split.io. Copy the Assertion Consumer Service URL link to your clipboard.

Add SAML settings

1. Navigate back to Azure and use the value for Assertion Consumer Service URL, provided in Split in the configuration parameters, into the Basic SAML Configuration box for Reply URL.
   Use the value for Audience URI, provided in Split in the configuration parameters, into the Basic SAML Configuration box for Identifier.
   Use the value for Default RelayState, provided in Split in the configuration parameters, into the Basic SAML Configuration box for Relay State.
   Optionally place the Single Sign-on URL from Split’s user interface into the Sign on URL to enable SP Initiated SSO using that URL

2. Click on Add reply URL and set the Reply URL to the Requestable SSO URL provided in Split in the configuration parameters:

3. Click Save. SSO is enabled.
4. You can test that single sign-on now works with Split by following the instructions below, depending on your setup.

• If you have JIT enabled or if your Azure account’s email address already exists in your Split organization:

Click Test in Test single sign-on with Split.

A new panel will open in Azure. Click on Test sign in.

A new tab will open and you will be logged into Split if the test is successful.

• If you do not have JIT enabled and your Azure account's email address does not exist in your Split organization:

You can test with a user that is in the Split app you created in Azure and in Split itself. Use the Single Sign-on URL provided in Split in the configuration parameters to test single sign-on using this user.