1️⃣ Create a New Entra ID Application

1. Go to the Microsoft Entra Admin Center

2. Navigate to Microsoft Entra ID → Enterprise Applications
3. Click + New Application

   

4. Select Create your own application.
5. Fill in the Name field and create the application.

   

2️⃣ Configure Single Sign-On with SAML

Once your application is created:

1. Go to the app and select Single Sign-On from the left menu
2. Choose SAML as the sign-in method

3️⃣ Edit Basic SAML Configuration

1. Click Edit under Basic SAML Configuration
2. Fill in the required fields:

Entra Field	Value
Identifier (Entity ID)	https://sts.windows.net/{tenant-id}/ ← Must end with a trailing slash
Reply URL (ACS)	https://auth.timuscloud.com/user/external/saml

⚠️ Important: Always include a trailing slash (/) at the end of the Identifier. Microsoft often omits this when copying the URL, which leads to SAML validation failures in Timus. The Identifier must exactly match the Issuer provided by Entra ID.

4️⃣ Edit Attributes & Claims

1. Under Attributes & Claims, click Edit

2. Ensure the following attributes are present:

Attribute	Description
userPrincipalName	Used as the NameID (maps to email in Timus)
givenname	Maps to firstname
surname	Maps to lastname

These attributes are required by Timus to create and identify users accurately.

5️⃣ Enable SAML Signing

Under SAML Certificates, ensure:

• ✅ Sign SAML Response is enabled
• ✅ Sign SAML Assertion is enabled

These settings help validate authenticity of incoming SAML messages.

🔐 (Optional) Enable Assertion Encryption

1. In the app, go to Token Encryption
2. Import Timus’s public key (provided upon request)
3. In Timus Manager, paste your private key into the encryption key field (if used)

📌 Enable encryption only if required by your compliance policies or infrastructure.

6️⃣ Configure the Integration in Timus Manager

1. Navigate to Settings → Integrations → SAML 2.0 → Manage
2. Click Create New and fill in:
   Found in section 4 of the SSO configuration in Entra

   

Timus Field	Entra Equivalent
Title	e.g., Microsoft Entra SAML
Identifier	Microsoft Entra Entity ID (ensure trailing /)
SAML 2.0 Service URL	Microsoft Entra Login URL
X.509 Certificate	Exported from Entra ID's SAML certificate

3. (Optional) Enable Require Encrypted Assertions
4. Define Allowed Sites and enable Remote Access if needed
5. Click Save

Note: For X.509 cert, Download Certificate (Base64) from Entra

Open in text reader and copy script to integration field.

7️⃣ Assign Users & Groups in Entra ID

1. In the app's left menu, go to Users and Groups
2. Click + Add user/group
3. Select the users or groups who should have access to Timus
4. Click Assign

---

✅ First-Time Login Behavior

• Users must first log in from https://myapps.microsoft.com by selecting the Timus app
• This initial login creates the user in Timus via SAML
• Attempting to log in directly to Timus without this step will fail

⏱️ After saving changes in Entra ID, it may take a few minutes for settings to propagate. Instruct users to refresh the app after a short delay before attempting to sign in again.

---

🛠️ Troubleshooting Tips

• Ensure the Identifier field includes a trailing slash (/)
• Confirm that userPrincipalName is used as the NameID
• Verify the X.509 Certificate is valid and not expired
• Confirm that both SAML Response and SAML Assertion signing are enabled
• Make sure users are assigned to the app and have accessed it once from the Microsoft portal