Setting Up SAML SSO with Microsoft Entra ID
This guide explains how to configure SAML-based Single Sign-On (SSO) between AdvaPACS and Microsoft Entra ID (formerly Azure Active Directory).
Once complete, users will be able to sign in to AdvaPACS using their Entra ID credentials.
Prerequisites
Before you begin, ensure you have:
- Administrator access to Microsoft Entra ID
Manage Authenticationpermission in AdvaPACS- An active Entra ID tenant
Overview
The configuration process consists of the following steps:
- Create a SAML application in Entra ID
- Copy AdvaPACS Service Provider (SP) details into Entra ID
- Copy Entra ID Identity Provider (IdP) details into AdvaPACS
- (Optional) Configure MFA bypass behavior
- Test the integration
Step 1: Create a SAML Application in Entra ID
- Sign in to the Microsoft Entra admin center
- Navigate to Enterprise applications
- Click New application
- Select Create your own application
- Choose Integrate any other application you don’t find in the gallery (Non-gallery)
- Enter a name (for example:
AdvaPACS) - Click Create
Step 2: Configure SAML in Entra ID
- Open the newly created application
- Navigate to Single sign-on
- Select SAML
Configure Basic SAML Settings
- Under Basic SAML Configuration, click Edit
- You will now copy values from AdvaPACS into Entra ID
Configure a SAML IdP in AdvaPACS
From AdvaPACS, navigate to Admin -> Settings -> Authentication and select the SAML tab.
- Click Add Configuration
Values from AdvaPACS
From the AdvaPACS SAML configuration screen, copy:
- SP Entity ID
- SP Assertion Consumer Service (ACS) URL
Enter Values in Entra ID
Populate the following fields:
| Entra ID Field | Value |
|---|---|
| Identifier (Entity ID) | Paste the SP Entity ID from AdvaPACS |
| Reply URL (ACS URL) | Paste the SP Assertion Consumer Service URL from AdvaPACS |
Click Save and close the Basic SAML Configuration window.
Step 3: Copy Entra ID Identity Provider Details
On the SAML-based Sign-on page in Entra ID, locate the Set up <Application Name> section.
You will need the following values:
| Entra ID Label | Used in AdvaPACS As |
|---|---|
| Microsoft Entra Identifier | IdP Entity ID |
| Login URL | IdP Sign On URL |
Download the Entra ID Certificate
- Scroll to the SAML Certificates section
- Download the Certificate (Base64)
- Open the downloaded file in a text editor
- Copy the entire certificate contents
Step 4: Configure SAML in AdvaPACS
Enter Identity Provider (IdP) Settings
Fill in the following fields in the AdvaPACS SAML configuration screen:
IdP Name
- This is a display label shown on the AdvaPACS login screen
- You may choose any name
- Example:
EntraID→ users will see “Login via EntraID”
IdP Entity ID
- Copy from Entra ID: Microsoft Entra Identifier
IdP Sign On URL
- Copy from Entra ID: Login URL
IdP Certificate
- Paste the full contents of the Base64 certificate downloaded earlier
Step 5: MFA Bypass (Optional)
AdvaPACS can bypass its own MFA flow if MFA has already been enforced by your SSO provider.
- Bypass MFA
- Set to true if MFA is enforced in Entra ID
- Set to false if AdvaPACS should still prompt for MFA
We recommend enabling MFA enforcement via Entra ID Conditional Access policies before enabling MFA bypass in AdvaPACS.
Step 6: Save and Test
- Save your SAML configuration in AdvaPACS
- Log out of AdvaPACS
- On the login screen, select Login via <IdP Name>
- Sign in with an Entra ID user account
Troubleshooting
If login fails:
- Verify the Entity ID and ACS URL match exactly
- Ensure the entire Base64 certificate was pasted correctly
- Confirm users are assigned to the application in Entra ID
- Review Sign-in logs in Entra ID for SAML errors