Microsoft Entra ID
Configure Microsoft Entra ID federation
Prerequisites
- Administrator access to Microsoft Entra ID (Global Administrator or Domain Administrator role)
- A SplitSecure Identity Provider created and approved
- A verified custom domain in your Entra tenant (cannot federate the default
.onmicrosoft.comdomain) - Microsoft Graph PowerShell module installed on a Windows machine
- DNS access to verify domain ownership
- A separate browser or browser profile with SplitSecure configured (for testing)
Entra ID Configuration
Verify Your Custom Domain
Before configuring federation, ensure your custom domain is added and verified in Entra ID.
- Go to Microsoft Entra admin center → Domain names
- Click Add custom domain
- Enter your domain name (e.g.,
splitsecure.com) - Add the provided DNS TXT record to verify ownership
- Click Verify
You can verify via PowerShell:
Connect-MgGraph -Scopes "Domain.Read.All"
Get-MgDomain | Select-Object Id, IsVerified, AuthenticationType Gather SplitSecure IdP Information
From SplitSecure, collect the following information:
The following values can be found in SplitSecure at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details
| Field | Value |
|---|---|
| IdP Entity ID (Issuer URI) | Under SAML IdP Entity ID |
| SSO Login URL | Under SSO URL (POST) |
| Signing Certificate | Click Download Certificate |
Configure Domain Federation
Connect to Microsoft Graph PowerShell and configure federation. See Microsoft documentation for more details.
The following variables can be found at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details:
| Variables | In SplitSecure’s details page |
|---|---|
| IssuerUri | SAML IdP Entity ID |
| PassiveSignInUri | SSO URL (POST) |
| idptokensigningcert | Download Certificate (.crt) |
# Connect with required permissions
Connect-MgGraph -Scopes "Domain.ReadWrite.All"
# Set your variables
$Domain = "<yourdomain.com>"
$IssuerUri = "<SAML IdP Entity ID from SplitSecure IdP Details>"
$PassiveSignInUri = "https://app.us.splitsecure.com/saml2/sp/login"
$SignOutUri = ""
# Load your signing certificate (base64 encoded, no headers)
$idptokensigningcert = [System.Security.Cryptography.X509Certificates.X509Certificate2]("C:\temp\certificate.crt")
$SigningCert = [system.convert]::tobase64string($idptokensigningcert.rawdata)
# Create federation configuration
New-MgDomainFederationConfiguration `
-DomainId $Domain `
-IssuerUri $IssuerUri `
-PassiveSignInUri $PassiveSignInUri `
-SignOutUri $SignOutUri `
-SigningCertificate $SigningCert `
-PreferredAuthenticationProtocol "saml" `
-FederatedIdpMfaBehavior "acceptIfMfaDoneByFederatedIdp" `
-DisplayName "SplitSecure SAML IdP" Verify Federation Configuration
Get-MgDomainFederationConfiguration -DomainId "yourdomain.com" | Format-List * SplitSecure Configuration
Configure SplitSecure with Entra ID SP Details
Return to SplitSecure and configure the SAML application with Entra ID’s Service Provider details:
- In SplitSecure, navigate to Secure Accounts → Create Account → Microsoft Entra ID
- Enter a name for your account
- Select the Identity Provider
- Download the metadata file from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml and upload it
- Click Create Account
Provision Users
Before users can authenticate via federation, they must exist in Entra ID with matching attributes.
Create a Federated User
$Password = "P@ssw0rd!" + (-join ((65..90) + (97..122) + (48..57) | Get-Random -Count 8 | % {[char]$_}))
$PasswordProfile = @{ Password = "$Password" }
$params = @{
UserPrincipalName = "user@yourdomain.com"
DisplayName = "User Name"
AccountEnabled = $true
MailNickName = "username"
OnPremisesImmutableId = "unique-immutable-id-001"
PasswordProfile = $PasswordProfile
UsageLocation = "US"
}
New-MgUser -BodyParameter $params Note the UserPrincipalName and OnPremisesImmutableId fields - you’ll need them for testing.
Verify User Configuration
Get-MgUser -UserId "user@yourdomain.com" | Select-Object UserPrincipalName, OnPremisesImmutableId, Id If the OnPremisesImmutableId is empty, go to Entra ID → Users → [click on your user] → [click Properties]
Test Authentication
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
Test Authentication (SP-Initiated)
- Navigate to https://entra.microsoft.com/
- Enter the user’s email address (e.g.,
user@yourdomain.com) - You should be redirected to SplitSecure for authentication
- Give the user’s UPN and OnPremisesImmutableId
- Complete the authentication flow
Use this URL to check federation status for a user: https://login.microsoftonline.com/getuserrealm.srf?login=user@yourdomain.com&json=1
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| No tenant-identifying information found | Issuer doesn’t match federation config | Ensure Issuer URI exactly matches (no whitespace) |
| User not found | User doesn’t exist in Entra ID | Provision user with matching UPN on federated domain |
| User not found (NameID mismatch) | NameID doesn’t match OnPremisesImmutableId | Ensure OnPremisesImmutableId exactly matches |
External Resources
- Entra ID SP Metadata Service provider metadata file
- SAML Protocol Documentation Federation configuration guide
- Microsoft Graph PowerShell PowerShell module for Graph API
Last updated: