SSO with SAML: Azure


Before you start

Reach out to mabl support through in app chat or [email protected] to initiate the SAML setup process. You will need the reply url and audience values provided by support in order to complete the setup. Please also share with support that you are using Azure as you Identity Provider.

Outlined here is the SAML set up process using Azure as an example of mabl SSO integration. This should work with other SAML identity providers with a similar setup. If you use Okta, try these docs instead: Single sign on with SAML: Okta

  • Within Azure, navigate to Azure Active Directory > Enterprise Applications
  • Then select + New Application
  • Then select + Create your own application
  • choose a Non-Gallery Application
  • Give the application a name and click `Create

Add an application

From the next menu:

  • Select Single sign-on
  • Select SAML

Example configuration

Basic SAML Configuration

  • Identifier (Entity ID): Provided by mabl support
  • Reply URL (Assertion Consumer Service URL): Provided by mabl support
  • Sign on URL: Optional
  • Relay State: Optional
  • Logout Url: Optional

User Attributes & Claims
Azure should automatically populate the following default user attribute claims:

  • givenname: user.givenname
  • surname: user.surname
  • emailaddress: user.mail
  • name: user.userprincipalname
  • Unique User Identifier: user.mail

Next steps

Save everything.

Pass¹ these off to mabl support:

App Federation Metadata URL
Raw cert
Federation Metadata XML
Login URL
Azure AD Identifier


X.509 Certificate Security

This is a public key certificate. This means there is no security risk passing this to mabl through normal channels.


mabl Login Domain Restriction

Once configured, users attempting to signup using the designated fully qualified domain name (e.g. will be required to originate from your designated SAML provider.


Additional e-mail domains

If you have additional domains for your workspace, for example your main connection is for [email protected] and you will also have users logging into your workspace with [email protected] let our support team know when configuring your SAML connection and mabl can add those domains to your domain lock as well. Any additional domains will also be included in the domain lock. You may only use domains that your company fully owns.

After mabl gets this information and sets up the required connection to your SAML application, your organization will be able to log in and restrict access with your identity provider of choice.