🔘 One-Click SSO Enable / Disable

A single checkbox activates or deactivates Entra SAML authentication across the entire ES-ERP instance, with no code changes required.

📋 Service Provider Configuration

Store your ES-ERP Entity ID, Assertion Consumer Service (ACS) URL, and optional Single Logout (SLO) URL — all the values Entra ID needs to trust your application.

🔒 Identity Provider Settings

Capture your Entra Tenant ID, IdP SSO/SLO endpoints, and Federation Metadata URL in one place. Paste in the X.509 certificate directly from the Entra admin portal.

👤 Auto User Provisioning

Optionally create ES ERP user accounts automatically on a user's first SSO login. Assign a default role to new users so they're immediately active.

🗂️ Attribute Claims Mapping

Map Entra ID SAML claims to ES ERP user fields. Configure NameID format, email, first name, last name, and groups claim URIs to match your Entra attribute schema.

👥 Group → Role Mapping Table

Define a mapping between Entra ID security groups (by name or Object ID) and ES ERP roles. Multiple groups can be mapped to different roles in a single configuration.

🛡️ SAML Token Encryption

Optionally enable end-to-end SAML assertion encryption. Store your SP private key and public certificate within the configuration for seamless decryption of Entra ID tokens.

🔐 Enforce SSO Login

Lock down the instance so only SSO-authenticated users can log in, disabling standard username/password authentication for improved security posture.

📊 SSO Test Tracking

Record the datetime and result of your last SSO integration test directly in the configuration. Attach troubleshooting notes for future reference.

Configure ES-ERP SP Settings

Enter your Entity ID and ACS URL so Entra ID can route authentication responses back to your instance.

Register in Entra Admin Portal

Create a non-gallery enterprise application in Entra ID, configure SAML, and download the Federation Metadata XML.

Paste IdP Metadata into ES-ERP

Enter your Tenant ID, IdP URLs, and certificate into the Identity Provider section. Save and verify.

Test & Go Live

Test with a pilot user, review the result in the Status section, then enable SSO for all users.

SAML 2.0 Protocol

Industry-standard federated authentication protocol. ES-ERP acts as the Service Provider (SP) while Microsoft Entra ID serves as the Identity Provider (IdP).

MFA Enforcement

Leverage your existing Entra ID Conditional Access policies. If MFA is required in your tenant, it applies to ES-ERP logins automatically — no additional configuration needed.

Token Encryption

Optional end-to-end encryption of SAML assertions ensures tokens cannot be intercepted or tampered with in transit between Entra ID and ES-ERP.

Password-less Access

When Enforce SSO is enabled, standard username/password login is disabled entirely. Users authenticate exclusively through Microsoft, eliminating password-related attack vectors.

Coordinated Logout

Single Logout (SLO) ensures that when a user signs out of ES-ERP, their Microsoft session is also terminated — preventing dangling authenticated sessions.

Certificate Management

X.509 certificates are stored directly in the configuration with expiry tracking. Rotate certificates before they expire by updating the IdP certificate field.

Protocol

• ✓ SAML 2.0
• ✓ HTTP-POST Binding
• ✓ SP-Initiated SSO
• ✓ Single Logout (SLO)

Identity Provider

• ✓ Microsoft Entra ID
• ✓ Federation Metadata
• ✓ X.509 Certificate
• ✓ Tenant ID Configuration

User Management

• ✓ Auto User Provisioning
• ✓ Group → Role Mapping
• ✓ Attribute Claims Mapping
• ✓ Default Role Assignment

Security

• ✓ MFA via Entra Policies
• ✓ Token Encryption
• ✓ Enforce SSO-Only Login
• ✓ Certificate Rotation