This guide will show you how to set up your custom SAML application for Azure AD.
Step 1: Create application
- Login with admin permissions into the Azure Admin console.
- Navigate to "Enterprise applications" and click "New application"
- In the next screen, click "Create your own application" and give your application a name
- Select the option "Integrate any other application you don't find in the gallery"
Step 2: Configure your application
- Select the "Single Sign On" option from the Manage section of your app and then select "SAML".
- Click "Edit" on the 'Basic SAML Configuration' section.
- Enter the following values in the 'Basic SAML Configuration' section on the next screen and click "Save"
| Identifier (Entity ID) | https://tekst.com |
| Reply URL (Assertion Consumer Service URL) | https://api.tekst.com/api/auth/sso/saml |
Step 3: Attribute mapping
- Click "Edit" on the 'Attributes & Claims' section.
- Configure the following attributes under the 'Attributes & Claims' section:
| Name | Value |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.mail |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.givenname |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | user.userprincipalname |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.surname |
- Go to the 'SAML Signing Certificate' section and download the 'Federation Metadata XML'.
Step 4: Upload metadata to Tekst
- Open the downloaded Federation Metadata XML file in a text editor and copy the entire contents.
- Log in to Tekst and navigate to Settings > SSO.
- Click "New SSO connection"
- Select "Azure AD" as the Identity Provider and click "Next"
- Paste the entire raw XML contents into the "Raw Metadata" field
- Click "Finish" to activate SSO. A success message will appear and a new "Continue with Azure AD" button will appear on the Tekst login page.
Ensure you paste the complete XML file including the declaration. Incomplete or malformed XML will result in a parsing error.
Step 5: Assign users in Azure AD
- Return to the Azure Portal and navigate to your Tekst Enterprise Application.
- Select "Users and groups" from the Manage section and click "Add user/group"
- Select the users or groups you want to grant access to Tekst and click "Assign".
Only users assigned to this Enterprise Application in Azure AD will be able to authenticate to Tekst via SSO. Ensure assigned users' email addresses match their Tekst accounts.
Step 6: Switching existing users to SSO
If you have existing users who currently log in with passwords, they can switch to SSO on their first SSO login. The SSO option will appear alongside the email/password login.
For detailed instructions on transitioning users, see How to switch a user from password login to SSO.
Communicate the change to your users via email with clear login instructions. Users will see both SSO and password options until passwords are disabled.
Troubleshooting
Raw metadata must be valid SAML XML
This error occurs when the XML is empty, incomplete, or malformed. Re-download the Federation Metadata XML from Azure and ensure you paste the complete file contents.
User not authorized or login fails
Verify the user is assigned to the Enterprise Application in Azure AD under Users and groups. Also check that the user's email in Azure matches their Tekst account email.
SSO button doesn't appear on login page
Ensure the SSO provider is activated in Tekst Settings. If you're on a free plan, you may need to upgrade to access SSO functionality.
AADSTS50105: User is blocked because they are not assigned access
This error means the user has not been granted access to the Tekst Enterprise Application in Azure AD. The full error message typically reads:
AADSTS50105: Your administrator has configured the application Tekst.com to block users unless they are specifically granted ('assigned') access to the application. The signed in user is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator.
This is a Microsoft-side restriction, not a Tekst issue. To resolve it, your IT administrator must assign the user to the Tekst Enterprise Application in Azure AD:
- Go to the Azure Portal and navigate to your Tekst Enterprise Application.
- Select "Users and groups" from the Manage section.
- Click "Add user/group" and assign the affected user or a group that includes them.
Once the user is assigned, they will be able to log in via SSO. If you are not an Azure AD administrator, contact your internal IT department to request access.
IdP-initiated login not working
Tekst only supports SP-initiated SSO, meaning users must start the login process at their organization's Tekst login page (e.g., <yourcompany>.tekst.com), not from the Azure AD dashboard.
0 comments
Please sign in to leave a comment.