Test in a staging Entra enterprise app before enforcing SSO on production users. Keep at least one break-glass owner account with a non-SSO recovery path.
Prerequisites
- Microsoft Entra ID admin access
- Retrac workspace owner role
- Enterprise plan with SAML enabled
Set up Azure AD SAML
Open Retrac Security settings
In Retrac, go to Settings → Security and click to configure SAML Single Sign-On. Select Microsoft Entra ID (Azure AD) as your identity provider.
Create an enterprise app in Entra ID
In the Microsoft Entra admin center, go to Identity → Applications → Enterprise applications → New application.Choose Create your own application, name it Retrac, and select Integrate any other application you don’t find in the gallery (Non-gallery).
Configure SAML
Open the Retrac enterprise app → Single sign-on → SAML.From the Retrac SAML setup modal, copy the ACS URL and Entity ID. Enter them in Entra:
- Identifier (Entity ID) — Retrac Entity ID
- Reply URL (ACS URL) — Retrac ACS URL
- Sign-on URL — leave blank for IdP-initiated, or set per your flow
Copy the metadata URL
Step 4: Copy the metadata URL
In the Entra SAML configuration, Microsoft provides App Federation Metadata Url.- On the SAML-based Sign-on page, find App Federation Metadata Url.
- Copy the metadata URL.
- In Retrac Settings → Security, paste the metadata URL into the SAML configuration form.
- Save the configuration in Retrac.
Configure claims
Under Attributes & Claims, ensure the token includes:
Use Unique User Identifier (Name ID) mapped to the user’s email or UPN, consistent with your Retrac email matching policy.
| Claim | Retrac expects |
|---|---|
emailaddress or user.mail | Email address |
givenname | First name (optional) |
surname | Last name (optional) |