Overview
This guide walks you through connecting Galtea to Microsoft Entra ID (formerly Azure Active Directory) using SAML 2.0. When complete, your team can sign in to Galtea through their Microsoft accounts.
You will switch between the Azure portal and Galtea’s Organization Settings several times. Keep both browser tabs open.
Prerequisites
- Owner role in the Galtea organization, with an active Enterprise subscription.
- Global Administrator or Application Administrator role in Microsoft Entra ID.
Step 1 — Create an enterprise application in Azure
- Open the Azure portal and navigate to Microsoft Entra ID.
- In the left menu, click Enterprise applications.
- Click New application at the top of the list.
- Click Create your own application.
- Enter a name for the app (for example,
Galtea).
- Select Integrate any other application you don’t find in the gallery (Non-gallery).
- Click Create.
Step 2 — Enable SAML in the new application
- In the application overview, click Single sign-on in the left menu.
- Select SAML as the sign-on method.
Azure shows a page titled Set up Single Sign-On with SAML. You will fill in two sections.
In the Basic SAML Configuration panel, click Edit and fill in these two fields:
| Azure field | Value |
|---|
| Identifier (Entity ID) | The SP Entity ID you entered in Galtea’s Organization Settings |
| Reply URL (Assertion Consumer Service URL) | https://api.galtea.ai/auth/saml/callback |
Click Save.
The SP Entity ID is a value you define. Use a unique identifier for your organization (for example my-company or my-company-prod). The exact same value must be entered in both Galtea and in the Azure Identifier field. In Galtea, enter this value in both the SP Entity ID and Issuer fields.
Step 4 — Require a signed response and assertion
- In the SAML Certificates section, click Edit.
- Find the Signing Option dropdown.
- Select Sign SAML response and assertion.
- Click Save.
This makes Azure sign both the outer SAML response and the inner assertion. Galtea requires at least a signed response by default.
Step 5 — Copy IdP values from Azure into Galtea
Stay on the Set up Single Sign-On with SAML page in Azure and locate the Set up Galtea section (the section name matches the application name you chose).
| Azure field | Copy into Galtea field |
|---|
| Login URL | Sign on URL |
For the certificate:
- In the SAML Certificates section, find the Certificate (Base64) row.
- Click Download to save the
.cer file.
- Open the file in a text editor. You will see lines starting with
-----BEGIN CERTIFICATE-----.
- Copy the entire content (including the header and footer lines).
- Paste it into the Public Certificate field in Galtea.
Step 6 — Save and verify in Galtea
- In Galtea, click Save to update the organization settings.
- Ask a team member who has been assigned to the Azure application to sign in using the organization’s Team Slug.
Before testing, assign the user (or a test user) to the Galtea enterprise application in Azure. Go to the application → Users and groups → Add user/group.
Attribute mapping (optional)
By default, Entra ID sends the user’s email, first name, and last name in the SAML assertion using standard claim URIs. Galtea reads these automatically.
If your directory uses non-standard attribute names, add attribute mappings in the Attributes & Claims section of the SAML configuration in Azure.
Galtea reads the following attributes:
| Standard claim | Azure AD URI |
|---|
| Email | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
| First name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
| Last name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
Troubleshooting
| Symptom | Likely cause | Fix |
|---|
| ”AADSTS50011: The reply URL does not match” | The ACS URL in Azure does not match | Set Reply URL to exactly https://api.galtea.ai/auth/saml/callback |
| ”AADSTS650056: Misconfigured application” | Entity ID is blank or mismatched | Make sure the Identifier in Azure matches the SP Entity ID in Galtea |
| Signature validation error in Galtea | Wrong or expired certificate | Re-download the Base64 certificate from Azure and paste it again |
| User lands on an access-denied page | User not assigned to the app | Assign the user in Azure → Users and groups |