Skip to main content
Table of Contents

Setup Guide - Microsoft Entra (formerly Azure AD) SAML SSO

This guide walks you through configuring SAML SSO between Microsoft Entra and LinearB. It follows the new LinearB documentation style: clean, concise, and focused on what admins actually need to do.…

heather.hazell
Updated by heather.hazell

This guide walks you through configuring SAML SSO between Microsoft Entra and LinearB. It follows the new LinearB documentation style: clean, concise, and focused on what admins actually need to do.

Before You Begin

Prerequisites

  • Microsoft Entra admin (or equivalent) with permission to create Enterprise Applications.
  • LinearB admin access.
  • SSO enabled for your LinearB workspace (contact your CSM or Support if you do not see SSO settings).

What You’ll Configure

  • A new non-gallery Enterprise Application in Microsoft Entra.
  • SAML-based sign-in (Entity ID + Reply URL).
  • Provider SSO URL, Issuer, and Certificate in LinearB.
  • User / group assignments in Entra.

Step 1 — Create the Microsoft Entra Enterprise Application

  1. Sign in to the Azure Portal at portal.azure.com.
  2. Go to Azure Active Directory → Enterprise applications.
  3. Click + New application.
  4. Choose Create your own application.
  5. Name it (for example) LinearB.
  6. Select “Integrate any other application you don’t find in the gallery (Non-gallery)”.
  7. Click Create.

Step 2 — Configure SAML in Microsoft Entra

  1. Open the newly created LinearB Enterprise Application.
  2. In the left menu, choose Single sign-on.
  3. Select SAML as the sign-in method.

Basic SAML Configuration

In the Basic SAML Configuration section:

  1. Click Edit.
  2. For Identifier (Entity ID), use your Microsoft Entra identifier (the Azure AD Identifier that uniquely represents your tenant).
  3. In a separate browser tab, open LinearB and go to:
    Settings → Single Sign On and enable SAML Authentication.
  4. Copy the Callback URL from LinearB and paste it into the Reply URL (Assertion Consumer Service URL) field in Entra.
  5. Click Save in Microsoft Entra.

Step 3 — Configure SSO in LinearB

Now use details from Microsoft Entra to complete the SSO configuration in LinearB. In LinearB, go to Settings → Single Sign On.

Provider single sign-on URL

Build the Provider SSO URL using your:

  • Azure Tenant ID
  • Application (Client) ID of the LinearB Enterprise Application

Use this format:

https://login.microsoftonline.com/<AZURE_TENANT_ID>/saml2/<APPLICATION_ID>

Paste the completed URL into the Provider single sign-on URL field in LinearB.

Provider issuer

In your Entra SSO application, locate the Azure AD Identifier (also shown on the SAML configuration page). Copy that value and paste it into the Provider issuer field in LinearB. It should be a fully qualified URL, for example: 

https://sts.windows.net/<TENANT_ID>/

Certificate

  1. In the Microsoft Entra SAML configuration, download the Signing Certificate in Base64 format.
  2. Open the certificate file in a text editor.
  3. Copy the full contents, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
  4. Paste this into the Certificate field in LinearB.

When all three fields are complete, click Save in LinearB. LinearB will test the connection and confirm if SSO is configured correctly.

Step 4 — Assign Users and Groups in Entra

The Enterprise Application controls who can log in to LinearB via SSO.

  1. In the LinearB Enterprise Application, open Users and groups.
  2. Click + Add user/group.
  3. Select the users or groups that should have access to LinearB.
  4. Click Assign.
Important: The email address for the LinearB user who will configure SSO must be included as a user in this application (and typically as an owner) so they can complete the setup and test sign-in.

Step 5 — Test SSO

  1. In LinearB, stay on Settings → Single Sign On.
  2. Use the available Test or sign-in flow (for example, log out and click “Sign in with SSO”).
  3. Sign in using a Microsoft Entra account that:
    • Is assigned to the LinearB application, and
    • Has a matching email in LinearB.

If configuration is correct, you should be redirected through Entra and land back in LinearB successfully.

Troubleshooting

“User not recognized”
  • Verify the user is assigned to the LinearB Enterprise Application in Entra.
  • Confirm the SAML email being sent matches the user’s LinearB login email.
“Invalid SAML response” or similar errors
  • Check that the Reply URL in Entra exactly matches the LinearB Callback URL.
  • Confirm the Provider single sign-on URL and Provider issuer in LinearB are correct.
  • Re-download the Base64 certificate from Entra and re-paste it into LinearB, including the BEGIN/END lines.
Users assigned but still cannot sign in
  • Confirm the user is assigned to the LinearB app in Entra (not just to another app).
  • Ensure their email address in Entra matches the email used for their LinearB account.

Need assistance?
Please contact LinearB Support.

How did we do?

Setup Guide - Google Workspace (GSuite) SAML SSO

Setup Guide - Okta SAML SSO

Contact