# Azure SAML
source: https://docs.chalk.ai/docs/azure-saml

## Setting up Azure SSO via SAML

### Supported Features

- IDP-initiated Single Sign-On, initiated via Entra ID
- SP-initiated Single Sign-On, initiated from Chalk
- Push group and user provisioning via SCIM, initiated from Entra ID

For detailted information about Chalk's Authentication capabilities, refer to the main page
for SSO and SAML.

### Customers with Self-Hosted Web Dashboards

For customers whose self-hosted deployments include a full API server and frontend deployment via helm,
this page is only part of the setup needed to configure SAML. After completing this guide, please refer to
the Cloud Auth documentation to complete setup.

If your chalk web dashboard is not https://chalk.ai, check your team's dashboard for the correct values.
These can be found under Settings > Single-Sign On:

- Single Sign On URL: Should start with your custom URL and not chalk.ai, but retain the same URL path
- Audience URI: This should start with your custom URL and not chalk.ai
- Chalk's SAML Certificate is regenerated for each custom web dashboard - if your team did not generate this themselves, contact Chalk for support

### Setup Steps

All details and controls can be found on your team's Single Sign-On Page, found under the
settings section of your team's dashboard.

### Set Up an Entra ID SAML Application

- Navigate to your Entra ID admin dashboard
- From "Enterprise Apps", find and select "New Application"Select "Create your own application"Name this application ("Chalk", for example)Select "Integrate any other application you don't find in the gallery (Non-gallery)"
- Configure SAMLIn the application sidebar, find Single Sign-onSelect SAML as the login method
- Set Up SAML (Basic SAML Configuration)Identifier (Entity ID): https://chalk.ai/api/saml/metadata.xmlReply URL (Assertion Consumer Service URL): https://chalk.ai/api/auth/login/samlSign-On Url: https://chalk.ai/loginRelay State: Leave blankLogout URL: https://chalk.ai/api/auth/signout
- Set Up SAML (Attributes & Claims): This section will depend on your own Entra ID setup and what attributes are in use. However, Chalk requires the following to be set:givennamesurnameUnique User Identifier: This should match your user's primary email address attribute
- Set Up Application: No inputs are necessary in this section, but it is important to download the Federation Metadata XML for later
- Test single sign-on: This cannot be done until the following step to connect Chalk to your applicaiton

### Connect Chalk to your SAML Application

You can connect your Entra ID application with Chalk from Settings > Single-Sign On page. At the top of the page,
there is a button to add new applications. To integrate your SAML application with Chalk, upload the federated XML
from the previous page and it should auto-populate:

- Issuer
- Login URL
- Signing Certificate

SAML Chalk Setup Details

### Next Steps

After verifying that you can log in to Chalk from your Entra ID Application, you can:

- Register your email domain with Chalk
- Set up [SCIM provisioning](/docs/Entra ID-scim)