Read supports single sign-on with a number of different SAML identity providers. This page explains the step-by-step process for setting up SAML authentication with Microsoft Entra. For a list of other supported providers, see How to: Setup SAML Authentication with Read AI.
Prerequisites
In order to set up SAML authentication with Microsoft Entra, you'll need:
- a Read Workspace with the Enterprise+ subscription
- someone who is an admin in your Read Workspace
- someone who is a Cloud Application Administrator in your Microsoft Entra configuration
Step-by-step instructions
1. Get your ACS URL and Entity ID
Start by having a Read Workspace admin go to Manage Workspace > Settings and expand the Advanced (Enterprise+ Required) section. Scroll down to the SAML section, where you can find and copy the ACS URL and Entity ID:
You'll need these in a later step.
2. Set up your SAML application
Next you'll create a new "enterprise application" in Microsoft Entra for Read:
-
Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
-
Browse to Identity > Applications > Enterprise applications.
-
Select New application and then Create your own application.
-
Add a name for the app. For example, “Read AI SAML”.
-
Select the Integrate any other application you don't find in the gallery (Non-gallery) option
-
Finally, select Create.
3. Connect Read to your SAML application
In this step, you will start to configure your application and send some key information back to Read Support:
-
Navigate to the Enterprise Application you just created and click on Single sign-on in the left hand menu.
-
Select the SAML option and configure as following.
-
Add your Entity ID from step one (
https://api.read.ai
) -
Add your ACS URL from step one.
-
Ensure the Attributes & Claims are as shown:
4. Connect your SAML application to Read
From Microsoft Entra, copy your your Login URL, Microsoft Entra Identifier, and download your Certificate (Base64):
You'll need to then copy and paste the Login URL as the SSO URL, the Microsoft Entra Identifier as the IdP Entity ID, and the contents of the downloaded certificate into the certificate field:
Click save once you're done entering everything.
5. Test that it's working
Once you have finished setting up your SAML application and turned it on for the desired set of users in your Microsoft Entra configuration, you should test the sign-in process.
- Microsoft Entra has a “Test“ button that will allow you to login to read.ai and confirm everything is working:
- You can also go directly to your SSO login URL to see that it automatically redirects you to the Microsoft sign-in page first, and then to Read after successfully authenticating.
Note that changes to your SAML application can take several hours to finalize but typically happen more quickly. Once you've confirmed it's working, everyone that is authorized should be able to use the SSO URL to log in to Read.
As always, please contact Read Support if you need any assistance.
6. [Optional] Disable other login methods by enforcing SAML
As an optional final step, if you would like to restrict your users to only logging in via SAML, please see Enforcing SAML for users in your domain. If this is enabled, users who try to log in from Read's sign in page will be automatically redirected to your SAML login flow.