This guide walks through configuring Azure Active Directory (Entra ID) as the Identity Provider (IdP) for SAML SSO on your on-premise EK instance. It covers the SAML settings to enter in Azure AD, how to retrieve your federation metadata, and how to register the domain in EK to complete the integration.Documentation Index
Fetch the complete documentation index at: https://ai-kb.automationanywhere.com/llms.txt
Use this file to discover all available pages before exploring further.
EK’s generic SAML flow works with Azure AD / Entra ID out of the box. If you haven’t already, read the SAML SSO Overview to understand how the integration works before you begin.
Prerequisites
- You have admin access to your Azure AD / Entra ID tenant.
- You have Super Admin access to your on-premise EK instance.
- You know the fully qualified domain name (FQDN) of your EK backend host (e.g.
ek-api.corp.acme.com). - You know the email domain you want to enable SSO for (e.g.
acme.com).
Part 1 — Configure Azure AD
Create a New Enterprise Application in Azure AD
Create a new enterprise application
In the Azure portal, navigate to Azure Active Directory → Enterprise applications and click New application. Select Create your own application, give it a name (e.g.
EK SSO), and choose Integrate any other application you don’t find in the gallery (Non-gallery).Open the SSO configuration
Once the application is created, navigate to Manage → Single sign-on and select SAML as the sign-on method.
Enter the Basic SAML Configuration
In the Basic SAML Configuration section, enter the following values:
| Field | Value |
|---|---|
| Identifier (Entity ID) | https://<your-FQDN>/backend/user/generic/sso/saml/acs/admin |
| Reply URL (ACS URL) | https://<your-FQDN>/backend/user/generic/sso/saml/acs/admin |
| Sign-on URL | Leave empty |
| Relay State | default |
| Logout URL | Leave empty |
Configure attributes and claims
In the Attributes & Claims section, confirm or add the following mappings:
| Attributes | Value |
|---|---|
givenname | user.givenname |
surname | user.surname |
emailaddress | user.mail |
name | user.userprincipalname |
DisplayName | user.displayname |
email | user.mail |
| Unique User Identifier (Name ID) | user.userprincipalname |
Part 2 — Retrieve the Azure AD Metadata
Once the Azure AD application is configured, retrieve the federation metadata URL:Go to the SAML Certificates section
In your application, navigate to Manage → Single sign-on → SAML Certificates.
Part 3 — Register the Domain in EK
Send aPOST request to the domain registration endpoint:
Required Fields
| Field | Description |
|---|---|
enterprise_id | The email domain of your users (e.g. acme.com). |
provider | "azure" |
metadata_url | The App Federation Metadata URL from Part 2. |
backend_root_url | (Optional) Required only in proxy setups to ensure correct routing. |
Authentication
The endpoint requires your EK API Key and Secret passed asX-API-KEY and X-API-SECRET headers.
On success, a record is created in the sso_providers table on the backend.
Part 4 — Configure the Frontend
Once the domain is registered, set the frontend environment variable and restart the frontend service.Open the frontend environment file
On your on-premise deployment server, open
onprem-deployment/.env.web.Add the environment variable
Add the following line, replacing
acme.com with your actual email domain:Test the Integration
Sign in to EK with a real@<domain> user to confirm the flow works end to end. If the user authenticates successfully but is denied access, check your SAML Access Controls configuration — see the EK SAML Access Controls and Automated Team/Project Assignment guide.