/
Microsoft Entra ID (Azure AD)

Microsoft Entra ID (Azure AD)

These instructions cover setting up SAML SSO between Microsoft Entra ID and Watching That.

Before you begin, contact support@watchingthat.com to request your account-specific Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) — you will need these in Step 3.

Step 1: Create a New Enterprise Application

  1. Navigate to the Enterprise applications section of the Azure Portal.

  2. Select New application. You will be redirected to the Browse Microsoft Entra Gallery page.

  3. Select Create your own application.

  4. In the modal that opens:

    • Name of your application: Watching That

    • Select Integrate any other application you don't find in the gallery (Non-gallery)

    • Select Create

Step 2: Assign Users or Groups

Before users can sign in, you need to assign them to the enterprise app.

  1. In the Getting Started section, select Assign users and groups.

  2. Select Add user/group. You will be redirected to the Add Assignment page.

  3. Select the None Selected link.

  4. Use the search field or select the checkbox next to the user(s) you want to assign.

  5. Select Select, then Assign.

For instructions on assigning groups, refer to Microsoft's documentation.

Step 3: Set Basic SAML Configuration

  1. In the left navigation, open the Manage dropdown and select Single sign-on.

  2. Select SAML as the single sign-on method. You will be redirected to the Set up Single Sign-On with SAML page.

  3. Find the Basic SAML Configuration section and select Edit.

  4. Paste the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) values that Watching That support provided into their respective fields. These save automatically.

  5. Select Save at the top of the panel, then close it.

Step 4: Verify Attributes & Claims

Watching That expects the following attributes in the SAML response. These are the Microsoft Entra defaults and most likely won't need changing — but it's worth double-checking, as incorrect attribute mappings are a common cause of SSO errors.

Attribute

Claim name

Value

Attribute

Claim name

Value

Email address (required)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

user.mail

First name (optional)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

user.givenname

Last name (optional)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

user.surname

To verify:

  1. Still on the Set up Single Sign-On with SAML page, find the Attributes & Claims section and select Edit.

  2. Confirm the three attributes above are present with the correct values.

Step 5: Share the Metadata URL with Watching That

  1. Still on the Set up Single Sign-On with SAML page, find the SAML Certificates section.

  2. Copy the App Federation Metadata URL.

  3. Send this URL to support@watchingthat.com — Watching That will use it to complete the SSO setup on the platform side.