This example shows setting up an Entra ID (formerly Azure AD) Enterprise Application and connecting this to Snyk to facilitate SSO. To configure your Azure Enterprise Application to use SSO with Snyk, first obtain an entity ID and a reply URL (Assertion Consumer Service URL) from Snyk.
-
From the dropdown at the top left select GROUP OVERVIEW and then the cog icon (top right corner) to get to your group settings.
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3) (1).png)
Select group overview
-
Click on SSO and copy the values under Entity ID and ACS URL or leave the browser tab open for easy access.
 (1) (1) (1).png)
Group Settings: SSO
-
Navigate to Azure and open Entra ID.
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
Entra ID Default Directory
-
Click Add then Enterprise application.
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
Add Enterprise application
-
Choose Create your own application.
 (1).png)
Create your own application
-
Name the application appropriately, for example, Snyk-SSO, making sure that Integrate any other application you don't find in the gallery (Non-gallery) is selected and then click Create.
 (1) (1) (1).png)
Application name and integration
-
For the new app, select Set up single sign on and Get started.
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (3).png)
Set up single sign-on, Get started
-
Select SAML as the SSO method.
 (1).png)
Select SAML
-
Click Edit under Basic SAML configuration.
 (1) (1) (1).png)
Edit basic SAML configuration
-
Add the Identity (Entity ID) and reply URL (Assertion Consumer Service URL) you obtained from Snyk and click Save; then close the edit window.
Entity ID and Assertion Consumer Service URL
-
Scroll to find the login URL needed to finish the configuration in Snyk. Copy it and paste it into the SSO settings in the Snyk portal.
.png)
Login URL
 (3) (1) (1) (1) (1) (1) (1) (1).png)
Sign in URL in Snyk portal
-
Return to Entra ID and click Download next to Certificate (Base64).
Download SAML Certificate (Base 64)
-
Open the downloaded certificate in your preferred text editor, copy the text and paste it into the Snyk X509 signing certificate field, and add the relevant domains that are supported by this SSO connection.
Finally, verify if an IdP-initiated workflow should be enabled and then click Create Auth0 connection if you are creating a completely new connection or Save changes if you are editing an existing connection.
Enter certificate and domains supported, set connection
-
Decide how new users should be treated when signing in and choose the option you would like to use: Group member, Org collaborator, or Org admin. Finally, modify the profile attributes if your settings in Azure deviate from the default; then click Save changes and verify you can log in, either with the direct URL at the top of step 3 or by going to the generic SSO login.
If you are not receiving profile values as expected, you may need to add email, name, and username as additional claims within Azure SSO settings and then map those accordingly in the Snyk SSO Profile attributes section.
Azure claim settings
.png)
Profile attributes section
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (3).png)
 (1).png)
 (1) (1) (1).png)
.png)
 (3) (1) (1) (1) (1) (1) (1) (1).png)
.png)
If you wish to add signature verification of the incoming Snyk request:
- Download the the Signing certificate at step 1 of the Snyk SSO settings.
- Use the following openssl command to convert it to .cer-format
openssl x509 -outform DER -in snyk.pem -out snyk.cer - At the bottom of the SAML Certificates settings of your SSO app in Active Directory, click Edit next to Verification certificates.
- Check Require verification certificates and upload the certificate from the output of the above openssl command and click Save.