Configure SAML SSO with Microsoft Entra ID

This guide walks you through configuring SAML Single Sign-On for Bruno using Microsoft Entra ID (formerly Azure Active Directory) as your identity provider.

Configure SSO in Bruno

Before configuring a SAML application in Microsoft Entra ID, first configure SSO in Bruno.

1. Log in to the Bruno License Portal
2. Navigate to Settings → SSO in the left sidebar

3. Toggle the Enable SSO switch on

4. Note the following values (you’ll need these when configuring Entra ID):

   • SAML ACS URL: Copy this URL exactly as shown in Bruno
   • SP Issuer ID / Entity ID: Set your own unique identifier (e.g., bruno-sso, bruno-entra, your-company-bruno, etc.)

Configure SSO with Microsoft Entra ID

Step 1: Create a New Enterprise Application

1. Log in to the Microsoft Entra admin center
2. On the left sidebar, navigate to Enterprise apps → + New application
3. Click Create your own application
4. Enter the application name: Set your own unique identifier (e.g., Bruno, Bruno-SAML-App, etc.)
5. Select Integrate any other application you don’t find in the gallery (Non-gallery)
6. Click Create

Step 2: Select SAML as Single Sign-On Method

1. In the created Enterprise Application, navigate to Manage → Single sign-on in the left sidebar
2. Select SAML as the single sign-on method

Step 3: Configure Basic SAML Configuration

1. Under Single sign-on section in the Basic SAML Configuration section, click Edit
2. Copy the values from the Bruno SSO settings page and paste them into your SAML configuration in Microsoft Entra ID:
   • Identifier (Entity ID): Paste the SP Issuer ID / Entity ID value from the Bruno License Portal
   • Reply URL (Assertion Consumer Service URL): Copy and paste the SAML ACS URL from the Bruno License Portal
3. Click Save

Step 4: Configure Attributes & Claims

Bruno requires three specific SAML attributes to be configured in Entra ID:

• Unique User Identifier (Name ID), roles, and fullName

These attributes map user information from Entra ID to your Bruno subscription, ensuring users get the correct access levels.

How Attribute Mapping Works:

• User Identification: Bruno uses the email address (NameID) to match the SSO user with existing Bruno users in your subscription
• Role Assignment: The roles attribute determines whether the user gets admin or standard access in Bruno
• Profile Information: The fullName attribute populates the user’s display name in Bruno

Required Claims

In the Attributes & Claims section:

1. Click Edit

2. Delete any existing claims that are not on this list
3. You will now update the claims to match the following:

Configuring the Unique User Identifier (Name ID) claim

This claim is required for user identification. It will be mapped to the user’s email address in Entra ID.

2. Click the Unique User Identifier claim
3. Select the Source Attribute option
4. Choose user.mail as the attribute
5. Click Save

Configuring the roles claim

The roles claim will represent the user’s roles in Bruno. This role value will be mapped to Bruno access levels for the License Portal and for License Activation. These roles could be hardcoded, mapped to existing user attributes, originate from App Roles, etc.

On the Attributes & Claims page:

1. Click Add new claim

2. Enter roles as the name

3. Configure the claim as follows:

   • Map to existing user attribute:
     • Under Source, select Attribute
     • Choose an existing user attribute like user.assignedroles, user.department, user.jobtitle, or custom attributes

4. Click Save

Important: The role value sent by Entra ID will be mapped to Bruno access levels in the License Portal’s SSO Settings. You’ll configure which role values correspond to admin or user access in Bruno (see Step 2 in the Bruno configuration section below).

Example Scenarios:

• If you set a static value of Engineering, you’ll add the value Engineering in the Bruno License Portal to the corresponding Admin or User role field
• If you map to user.department and a user’s department is IT, you’ll add IT to the appropriate role field in the Bruno License Portal

Configuring the fullName claim

The fullName claim represents the user’s full name. This may already be available in your Entra ID user profile as a single field (e.g., user.displayname). If so, you can map the fullName attribute directly to that field.

If a full name field is not available, you can concatenate the first and last name fields using a transformation as follows:

On the Attributes & Claims page:

1. Click Add new claim
2. Enter fullName as the name
3. Under Source, select Transformation
4. In Manage Transformation, configure the transformation:
   • Transformation: Join()
   • Parameter 1: user.givenname
   • Separator: (space)
   • Parameter 2: user.surname
5. Click Save

Finalized Attributes & Claims Configuration

Return to the Attributes & Claims page and verify the following:

1. Any other claims that are not shown below have been deleted
2. The Unique User Identifier (Name ID), roles, and fullName claims are configured as shown above

Finish SSO Configuration in Bruno

Step 1: Add SSO URL to Bruno License Portal

IdP Login URL / SSO URL

1. Return to the Enterprise Application page and navigate to Manage → Single sign-on in the left sidebar
2. In the Set up ‘AppName’ section 4, copy the following value:
   • Login URL: Copy this URL

3. Return to the Bruno License Portal tab you opened from the earlier configuration
4. Navigate to Settings → SSO (if not already there)
5. Under SAML Configuration paste the Login URL from Entra ID into the IdP Login URL / SSO URL field

Step 2: Add IdP Certificate to Bruno License Portal

Entra ID IdP Certificate

1. In the SAML Certificates section 3:
   • Certificate (Base64): Download the certificate

2. Open the downloaded certificate file and copy the contents (include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines)
3. Return to the Bruno License Portal tab
4. Under SAML Configuration paste the certificate contents into the IdP Certificate field

Step 3: Map the role values from Entra ID to Bruno access levels

1. Under the Bruno License Portal in the SSO Configuration page, scroll down to the Role Mapping section

2. Admin Roles: Enter the role values (comma-separated) that will have admin access to the Bruno License Portal

   • Example: admin,BrunoAdmin,IT-Administrators
   • These values must match what you configured in the roles attribute in Entra ID
   • Users with these roles can access the admin panel and manage licenses

3. User Roles: Enter the role values (comma-separated) that should have user access to Bruno

   • Example: user,Engineering,Developers,QA
   • These values must match what you configured in the roles attribute in Entra ID
   • Users with these roles will be able to activate their Bruno licenses with SSO. They will not have access to the admin panel.

Step 5: Configure Session Settings

1. Scroll down to the Session Timeout section:
   • Set the session timeout in seconds (default: 3600 = 1 hour)
2. Click Save Configuration to apply your SAML SSO configuration

Test Your SAML Configuration

Assign Users or Groups

1. In your Entra ID Enterprise Application, navigate to Manage → Users and groups in the left sidebar
2. Click Add user/group

3. Select the users or groups that should have access to Bruno, if using App Roles they can be assigned here
4. Click Assign

Test SSO Login

1. Navigate to the Bruno License Portal (https://license.usebruno.com/)
2. Enter the email address of a user assigned to the Bruno app in Entra ID
3. Click Login with SSO
4. You should be redirected to Entra ID to authenticate

5. If your user is an admin in Bruno and contains the correct role mapping, you should be redirected back to the Bruno License Portal

Next Steps

After setting up SSO with Microsoft Entra ID, you can:

• Configure SCIM Provisioning to automate user provisioning and deprovisioning
• Manage your Bruno licenses in the License Portal

Related Resources

For more information about configuring SAML SSO and managing roles in Microsoft Entra ID, refer to these Microsoft documentation resources:

• SAML authentication with Microsoft Entra ID - Overview of SAML protocol and authentication flow
• Enable SAML single sign-on for an enterprise application - Step-by-step guide for SAML SSO setup
• Customize SAML token claims - Configure custom attributes and claims for SAML applications
• Using App Roles for role-based access control - Configure and use App Roles for fine-grained access control
• Manage federation certificates for federated single sign-on - Manage and renew SAML certificates
• Plan a single sign-on deployment - Best practices and planning guide for SSO deployment