Microsoft Entra ID SAML Setup

Enable your users to sign in to Odeus using their Entra ID accounts via SAML 2.0.

Overview

This guide walks you through configuring SAML single sign-on with Microsoft Entra ID. You'll create an Enterprise application in Entra ID, configure SAML settings, and establish a secure connection between your identity provider and Odeus.

Once complete, your users will be able to sign in to Odeus using their Entra ID credentials.

Setup Checklist

Verify that you have completed these steps from the setup checklist:

• You have access to an admin account in your Odeus workspace
  • "Join by domain" is enabled in your Odeus security settings
  • Your domain is added and verified in your Odeus security settings
  • You have an Entra ID account with the ability to create and manage Enterprise applications

Create a new Enterprise application in Entra ID

Next, you need to create a new Enterprise application in your Entra ID portal.

To do this, follow these steps:

1. In your Entra ID portal navigate to the Overview page and add a new Enterprise application under "+ Add" → "Enterprise application"
2. Create a new custom application by clicking on "+ Create your own application"
3. Name your application (e.g., "Odeus")
4. Select the option "Integrate any other application you don't find in the gallery (Non-gallery)"

SAML Configuration

Odeus uses SAML 2.0 as the standard for SSO authentication. After creating the application, you need to configure the SAML settings, which will allow Odeus to authenticate users via SAML.

First, navigate to the "Single sign-on" settings of your newly created application, by selecting "Set up single sign on" and choosing "SAML" as the single sign-on method.

Next, you need to get the SAML metadata from Odeus, which you can find in your Security settings.

Here, you need to copy two values from the SAML metadata:

1. The "Audience URI (SP Entity ID)" value(odeus.ai)
2. The "Assertion Consumer Service (ACS) URL" value

Now, you can configure the SAML settings in your Entra ID portal, by first clicking "Edit" in the "Basic SAML Configuration" section, and then filling in the following values:

1. "Identifier (Entity ID)": The "Audience URI (SP Entity ID)" value from Odeus
2. "Reply URL (Assertion Consumer Service URL)": The "Assertion Consumer Service (ACS) URL" value from Odeus

You can leave the other fields empty or with their default values. Finally, save the configuration by clicking "Save".

You also need to modify the default SAML Certificate configuration, by clicking "Edit" in the "SAML Certificates" → "Token signing certificate" section and:

1. Setting the "Signing Option" to "Sign SAML response and assertion"
2. Setting the "Signing Algorithm" to "SHA-256"

Finally, save the SAML Certificate configuration by clicking "Save".

To finalize the SAML setup, you need to copy the Login URL and the SAML Signing certificate from Entra ID to Odeus.

1. In the "SAML Signing Certificate" section of your Entra ID portal, click on "Download" next to "Certificate (Base64)" link to download the certificate. Copy the entire certificate so that the beginning and end match the example below:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

2. Copy the "Login URL" value from the "Set up Odeus" section in your Entra ID portal.

In your Odeus workspace, navigate to the Security settings again and paste the copied values into the respective fields:

1. Fill in the "Issuer" field with the Audience URI specified earlier (odeus.ai).
2. Paste the "Login URL" value from Entra ID into the "Sign on URL" field
3. Paste the SAML Signing certificate content into the "Certificate" field

Finally, to test your SAML setup, you need to activate it by enabling the "SAML Active" toggle.

Assign Users to the Application

Before users can sign in to Odeus via SAML, they must be assigned access to the Enterprise application in Entra ID.

By default, Entra ID requires explicit user assignment to prevent unauthorized access. Follow these steps to grant users access:

1. In your Entra ID portal, navigate to the Odeus Enterprise application you created
2. In the left menu, select "Users and groups"
3. Click on "+ Add user/group"
4. Under "Users", click on "None Selected" and search for the users you want to grant access to
5. Select the users or groups that should have access to Odeus
6. Click "Select" and then "Assign"

Best Practice: For organizations with multiple users, we recommend creating a dedicated Entra ID security group (e.g., "Odeus Users") and assigning this group to the application. This makes it easier to manage access as your team grows.

Alternative: Allow All Users

If you want to allow all users in your organization to access Odeus automatically without explicit assignment:

1. In your Entra ID portal, navigate to the Odeus Enterprise application
2. In the left menu, select "Properties"
3. Set "Assignment required?" to "No"
4. Click "Save"

Disabling assignment requirements will allow any user in your Entra ID tenant to access Odeus. Only use this option if you want to grant organization-wide access.

Test the SAML setup

To test the setup, please stay logged in in the current browser session and open a separate browser or an incognito window and navigate to https://app.odeus.ai.

Enter an email address of a user in your Entra ID account and click "Continue".

You will be redirected to the Entra ID login page, where you can enter your credentials.

After successful authentication, you will be redirected back to Odeus and logged in.

Multiple Entra ID Tenants with One Workspace

Odeus integrates with a single identity provider per workspace, so connecting multiple Entra tenants directly isn't supported.

The recommended approach is to route all authentication through one hub tenant and use Microsoft's B2B, cross-tenant synchronization, and cross-tenant access policies to bring users from other tenants in automatically.

Multiple Workspaces with the Same Entra ID Tenant

If you want to connect multiple Odeus workspaces to the same Entra ID tenant, this is possible but requires manual configuration by the Odeus team.

For each additional workspace, you need to:

1. Ask the Odeus Team at [email protected] to create a new Workspace and provide you with the Assertion Consumer Service (ACS) URL.
2. Create a separate Enterprise application in Entra ID for each workspace you want to connect (following the same steps as above)
3. Use a unique Identifier (Entity ID) for each app registration. Instead of using odeus.ai, use a unique identifier like yourcompany.odeus.ai or workspace-name.odeus.ai
4. Enter the Assertion Consumer Service (ACS) URL provided by the Odeus Team.
5. Contact Odeus support at [email protected] and provide the following information for each additional workspace:
   • The Issuer (your unique Entity ID)
   • The Login URL (Sign-on URL)
   • The Certificate (Base64)
   • All E-Mail domains of users that should be able to join the workspace. More details on that here.

You cannot configure multiple SAML workspaces yourself. The Odeus team needs to manually configure the additional workspaces in the backend. We only offer this for our enterprise clients. Also, note that we can not migrate users / chats / assistants to other workspaces.

Workspace Switching Behavior

When users have access to multiple SAML-enabled workspaces with the same domain:

• After entering their email address during login, users will see a workspace picker to choose which workspace to access
• The regular "switch workspace" button is not available for SAML users
• To switch between workspaces, users need to log out and log in again, then select the desired workspace from the picker

Troubleshooting

If you encounter any issues during the setup, reach out to [email protected] for assistance.