# Connecting Entra ID to Mobb

This guide explains how to integrate Microsoft **Entra ID** (formerly Azure Active Directory) with **Mobb** via **SAML** so your users can sign in with SSO.

***

### Prerequisites

* Admin access to the **Microsoft Entra Admin Center**.
* Permission to assign users/groups to Enterprise Applications.
* Ability to share configuration details (URLs, certificate, and email domains) with Mobb.

***

### Step 1 — Create an Enterprise Application

1. Sign in to **Entra Admin Center**.
2. Go to **Identity → Applications → Enterprise applications**.
3. Click **+ New application → Create your own application**.
4. Enter a name (e.g., `Mobb SSO`) and choose\
   **Integrate any other application you don’t find in the gallery (Non-gallery)**.
5. Create the app, then open it → **Single sign-on** → choose **SAML**.

> You’ll land on the **Set up Single Sign-On with SAML** page.

***

### Step 2 — Configure SAML (Basic SAML Configuration)

First, define an application name that will represent this SAML configuration using the following naming convention:

```
YOUR_APP_NAME: Mobb-<YOUR_COMPANY_NAME>
```

For example, if your company name is `XYZ`, `YOUR_APP_NAME` will be `Mobb-XYZ`

Fill in the following values:

* **Identifier (Entity ID)**

  ```
  urn:auth0:mobb-prod:<YOUR_APP_NAME>
  ```
* **Reply URL (Assertion Consumer Service URL)**

  ```
  https://auth.mobb.ai/login/callback?connection=<YOUR_APP_NAME>
  ```

Replace `<YOUR_APP_NAME>` with the exact connection name you intend to use (no spaces recommended).

> Keep **Name ID format** as the default (usually `Unspecified` or `Persistent`). Mobb will map claims explicitly in Auth0.

***

### Step 3 — Assign Users and Groups

In the Enterprise Application:

1. Go to **Users and groups**.
2. Assign the users and/or groups who should be able to access Mobb.

> Only assigned users will be able to sign in via SSO.

***

### Step 4 — Export and Collect Details for Mobb

From the **Single sign-on** blade, collect:

* **Application name:** `<YOUR_APP_NAME>`
* **Certificate (Base64):** Download the **Base64** certificate (not DER).
* **Login URL** (a.k.a. **SAML Single Sign-On Service URL**)
* **Logout URL** (Front-channel or SAML logout URL, if configured)
* **Customer’s Email Domain(s):** e.g., `yourcompany.com`, `subsidiary.co`

> Mobb uses your domains to route users to the correct identity provider at login.

***

### Step 5 — Send the Details to Mobb

Open a ticket at [Mobb Support Portal](https://support.mobb.ai/hc/en-us/requests/new) with subject:

```
Entra ID SSO Onboarding
```

Include:

* Your application name (`<YOUR_APP_NAME>`)
* Login URL
* Logout URL
* **Base64** certificate
* Company email domain(s)

Your Mobb support representative will contact you once the configuration is complete and is ready for testing.

***

### Step 6 — Test SSO

* **From Entra:** use **Single sign-on → Test** to validate claims issuance.
* **From Mobb:** visit **app.mobb.ai**, start login, and enter an email from one of your approved domains. You should be redirected to Microsoft sign-in and, after successful auth, back to Mobb.

***

### Troubleshooting

* **User not assigned:** Ensure the user or their group is assigned to the Enterprise Application.
* **Domain not recognized:** Confirm your company email domain(s) were provided to Mobb and added to the connection.
* **Certificate errors:** Verify you sent the **Base64** certificate and it hasn’t expired.
* **NameID / claims mismatch:** The mapping on Mobb’s side assumes the `nameidentifier` claim is present. If your tenancy emits a different primary identifier, let us know.
* **Case sensitivity:** Emails are normalized to lowercase by Mobb’s mapping; ensure downstream policies allow that.

***

### Summary

1. Create a **Non-gallery** Entra **Enterprise Application** using **SAML**.
2. Set **Entity ID** and **Reply URL** with your `<YOUR_APP_NAME>`.
3. Assign users/groups.
4. Send Mobb the **Login URL**, **Logout URL**, **Base64 certificate**, **app name**, and **email domains**.
5. Mobb completes Auth0 configuration and confirms readiness.
6. Test SSO from Entra and from Mobb.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mobb.ai/mobb-user-docs/administration/single-sign-on-sso/connecting-entra-id-to-mobb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.