Configuring SAML with Azure Active Directory (Azure AD)

  1. In Azure AD, create an unlisted (non-gallery) application following the official documentation.
  2. Once the application is created, follow these instructions to enable SAML SSO. Use these configuration values (replacing "sourcegraph.example.com" with your Sourcegraph instance URL):
  • Identifier (Entity ID): https://sourcegraph.example.com/.auth/saml/metadata
  • Reply URL (Assertion Consumer Service URL): https://sourcegraph.example.com/.auth/saml/acs
  • Sign-on URL, Relay State, and Logout URL can be left empty.
  • User Attributes & Claims: Add the following attributes.
    email: user.mail (required)
    name: user.userprincipalname (optional)
    login: user.userprincipalname (optional)
  • You can leave the other configuration values set to their defaults.
  1. Record the value of the "App Federation Metadata Url". You'll need this in the next section.

2. Add the SAML auth provider to Sourcegraph site config

  1. Ensure externalURL in site config is set to the base URL (no trailing slash) you used in the Azure AD application configuration.
  2. Add an entry to auth.providers with type saml and identityProviderMetadataURL set to the "App Federation Metadata Url" you recorded in the previous section. Here is an example of what your site configuration should look like:
{
 // ...
 "externalURL": "https://sourcegraph.example.com",
 "auth.providers": [
   {
     "type": "saml",
     "identityProviderMetadataURL": "https://login.microsoftonline.com/7d2a00ed-73e8-4920-bbfa-ef68effe2d1e/federationmetadata/2007-06/federationmetadata.xml?appid=eff20ae4-145b-4bd3-ff3f-21edab43fe99"
   }
 ]
}

Confirm there are no error messages in the sourcegraph/server Docker container logs (or the sourcegraph-frontend pod logs, if Sourcegraph is deployed to a Kubernetes cluster). The most likely error message indicating a problem is Error prefetching SAML service provider metadata. See SAML troubleshooting for more tips.