# Configuring SAML authentication settings in OpManager for Azure Listed below are the steps to configure SAML authentication in OpManager (SP) for Azure (IdP) with Single Sign-On. 1. Login to your Azure account. Expand the menu on the left hand side, and select **Azure Active Directory**. ![Configure Azure IdP in OpManager: Azure active directory](https://www.manageengine.com/network-monitoring/how-to/images/Azure-1.png) 2. Click on **Enterprise applications**. ![Configure Azure IdP in OpManager: Enterprise applications](https://www.manageengine.com/network-monitoring/how-to/images/Azure-2.png) 3. Select **New Application.** ![Configure Azure IdP in OpManager: New application](https://www.manageengine.com/network-monitoring/how-to/images/Azure-3.png) 4. Enter the application name in the text box under **'What's the name of your app?'** and click on **Create** at the end of that page. ![Configure Azure IdP in OpManager: Create application](https://www.manageengine.com/network-monitoring/how-to/images/Azure-4.png) 5. On the left side menu, select **Single sign-on** and choose **SAML**. You will be navigated to the **SAML based Sign-On page**. ![Configure Azure IdP in OpManager: SAML based sign-on page](https://www.manageengine.com/network-monitoring/how-to/images/Azure-5.png) ![Configure Azure IdP in OpManager: Single sign-on](https://www.manageengine.com/network-monitoring/how-to/images/Azure-6.png) 6. In **Basic SAML configuration** select the edit option (the pencil icon). ![Configure Azure IdP in OpManager: Basic SAML configuration](https://www.manageengine.com/network-monitoring/how-to/images/Azure-7.png) 7. In this window, the **Entity ID, Assertion Consumer Service (ACS) URL, Sign on URL, and Logout URL** from OpManager need to be specified. ![Configure Azure IdP in OpManager: Specify Entity ID, Assertion Consumer Service (ACS) URL, Sign on URL, and Logout URL](https://www.manageengine.com/network-monitoring/how-to/images/Azure-8.png) 8. Go to OpManager, navigate to **Settings -> General Settings -> Authentication**. ![Configure Azure IdP in OpManager: Authentication under general settings](https://www.manageengine.com/network-monitoring/how-to/images/Azure-9.png) 9. Under **SAML**, copy the **Entity ID, Assertion Consumer Service URL**, and the **Logout URL** from the **Service Provider Details** section. ![Configure Azure IdP in OpManager: Service Provider Details](https://www.manageengine.com/network-monitoring/how-to/images/Azure-10.png) 10. Now, go back to Azure and enter those details in the **Basic SAML Configuration** section by selecting the edit option. ![Configure Azure IdP in OpManager: Basic SAML configuration](https://www.manageengine.com/network-monitoring/how-to/images/Azure-11.png) 11. Under the **Attributes & Claims** section, click on the **Edit** option (the pencil icon). ![Configure Azure IdP in OpManager: Attributes and claims](https://www.manageengine.com/network-monitoring/how-to/images/Azure-12.png) 12. Click on **user.displayname** [nameid-format:persistent]. ![Configure Azure IdP in OpManager: user.displayname](https://www.manageengine.com/network-monitoring/how-to/images/Azure-13.png) 13. For OpManager versions: - **Before version 126147**, choose the Name Identifier format as **Persistent**. Choose the Source Attribute as **Display Name**, if you are trying to authenticate local users in OpManager. If you are trying to authenticate AD or Domain users, click on **Transformation** and configure the appropriate **OGNL** expression to send the **NameID** value in the format **\**. Click **Save**. ![Configure Azure IdP in OpManager: Manage claim](https://www.manageengine.com/network-monitoring/how-to/images/Azure-14.png) **Note:** If your display name contains space or other special characters, user mapping issues might happen, so configure a different attribute like first name, or you can switch to Email NameID format. - **For version 126147 and above**, choose the Name Identifier format as **Email address** and Source Attribute as **user.mail** and click **Save**. ![Configure Azure IdP in OpManager: Name identifier format and Source Attribute](https://www.manageengine.com/network-monitoring/how-to/images/Azure-16.png) 14. Now, download the **Federation Metadata XML** file from the **SAML Signing Certificate** section. ![Configure Azure IdP in OpManager: Federation Metadata XML file](https://www.manageengine.com/network-monitoring/how-to/images/Azure-18.png) 15. Open OpManager and go to **Settings -> General Settings -> Authentication -> SAML**. Upload the metadata file under **Identity provider details** and select the corresponding **NameID format** based on the OpManager version installed. Click on **Save**. ![Configure Azure IdP in OpManager: Select NameID format and save](https://www.manageengine.com/network-monitoring/how-to/images/Azure-29.png) 16. Now, click on the **Enable SAML SSO** option. ![Configure Azure IdP in OpManager: Enable SAML SSO](https://www.manageengine.com/network-monitoring/how-to/images/Azure-23.png) 17. Now go back to Azure and select **Users and groups** on the left side menu, then select **Add user/group**. ![Configure Azure IdP in OpManager: Add user/ group](https://www.manageengine.com/network-monitoring/how-to/images/Azure-19.png) 18. Click **None selected** and from the right hand side, select the users and click **Assign**. ![Configure Azure IdP in OpManager: Select and assign users](https://www.manageengine.com/network-monitoring/how-to/images/Azure-20.png) 19. After assigning the users, please ensure the user profiles are created in OpManager and verify the following: - **For Persistent NameID (Before version 126147)** the username in OpManager should match the user displayname in Azure. ![Configure Azure IdP in OpManager: Username in OpManager to match user display name in Azure](https://www.manageengine.com/network-monitoring/how-to/images/Azure-26.png) ![Configure Azure IdP in OpManager: Username in OpManager to match user display name in Azure](https://www.manageengine.com/network-monitoring/how-to/images/Azure-24.png) - **For Email NameID (For version 126147 and above)** the user Email in OpManager should match the user Email in Azure. ![Configure Azure IdP in OpManager: Email NameID in OpManager should match user email in Azure](https://www.manageengine.com/network-monitoring/how-to/images/Azure-27.png) ![Configure Azure IdP in OpManager: Email NameID in OpManager should match user email in Azure](https://www.manageengine.com/network-monitoring/how-to/images/Azure-25.png) 20. Now, login to OpManager using your Azure account from the login page. ![Configure Azure IdP in OpManager: OpManager login using Azure account](https://www.manageengine.com/network-monitoring/how-to/images/Azure-28.png)