Azure SAML configuration with xMatters

This article describes the process of configuring Single Sign On (SSO) with Azure (Microsoft Entra ID) for xMatters, and highlights a few corrections to the Microsoft documentation.

Here's what you'll see in Azure, and what's required to configure SSO properly with xMatters:

1. In the xMatters OnDemand Domain and URLs section:

   • Identifier (Entity ID): Remove the final backslash. For example: https://contuoso.au1.xmatters.com.au
     This value is used as the Audience (Service Provider ID) in your xMatters SSO configuration. In most cases, the Audience is simply your xMatters domain URL, such as https://[your-company]-hed.xmatters.com, and must match exactly (including no trailing slash).

   • Reply URL: The reply URL is the SAML link from the metadata. For example: https://contoso.au1.xmatters.com.au/sp/SSO.saml2

2. In the Azure SAML Configuration window:
   

   • Single Sign-On URL: Use the My Apps (myapps) link. For example: https://myapps.microsoft.com/signin/xMatters%20OnDemand/4975267c-7215-454c-a714-9e04ad58e7cd
     This ensures Azure correctly passes the SAMLRequest / SAMLResponse back to xMatters and helps avoid errors like AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters.

   • You may be able to find it in your Azure application configuration (User access URL) as shown below:
     
     
     
     
     

3. In the xMatters SAML Configuration window, ensure the following:

   • Identity Provider ID: Use the Azure AD (Entra ID) SAML Entity ID that begins with https://sts.windows.net rather than a login.microsoftonline.com URL.

   • Single Sign-On Service URL: Enter the Azure AD SSO URL from your xMatters Enterprise application (this will correspond to the myapps-based login).

   • Sign Out URL: (Optional but recommended) Enter the Azure AD logout URL if you want SLO (single logout) support.

   • Audience: Verify the Audience value in xMatters matches the Identifier (Entity ID) you configured in Azure, and that there are no mismatches such as a trailing slash. The Audience is typically your xMatters domain URL and must match the value in the SAML assertion.

   • Certificate: Upload the Azure AD signing certificate used by your SAML configuration.

   • Unique User ID: Ensure you select a unique user attribute (for example, email address) that matches how users are identified in xMatters.

   • Enable SAML/SSO: Confirm that SAML/SSO is enabled in xMatters once all values are set.

   
   

4. In the Azure configuration, make sure the Sign On URL is not populated. It should be left blank.
   
   
   Note that if you enter a value for Sign On URL it can result in a looping effect between the Azure login screen and the xMatters login screen, and may also trigger SAML errors indicating that a SAMLRequest or SAMLResponse parameter is missing.

If you still see SAML authentication issues (for example, system alerts or user logins failing with redirect-binding errors), double-check:

• That the My Apps (myapps) URL is used as the Single Sign-On URL in Azure.

• That the Audience/Identifier values match exactly between Azure and xMatters.

• That you are using the correct URLs for the specific xMatters environment (production vs. non-production).

• That SSO is enabled and the Identity Provider details in xMatters match what is configured in Azure AD.