Setup Guide - Microsoft Entra (formly Azure AD) SAML SSO

Prerequisites

• You must be an Azure Global Admin or have permissions to create Enterprise Applications.
• You must be an Admin in LinearB.
• LinearB must enable SSO for your workspace (contact your CSM if you do not see SSO settings).

What You’ll Configure

• A new Enterprise Application in Microsoft Entra
• SAML-based sign-in configuration
• User attribute mappings
• Azure → LinearB metadata exchange
• Optional: user assignment and access rules

1. Sign in to the Azure Portal at portal.azure.com.
2. Navigate to Azure Active Directory → Enterprise Applications.
3. Click + New application.
4. Select Create your own application.
5. Name it LinearB and choose:
   “Integrate any other application you don’t find in the gallery (Non-gallery application)”
6. Click Create.

Inside the newly created LinearB app:

1. Open Single Sign-On.
2. Select SAML as the sign-in method.

Enter the SAML configuration values

In LinearB, go to:

Settings → Authentication → SSO

Copy the following values from LinearB into Azure:

• Identifier (Entity ID) → paste LinearB Entity ID
• Reply URL (Assertion Consumer Service URL) → paste LinearB ACS URL

Next, download Azure’s metadata file:

• In the SAML page, click Download Federation Metadata XML.

Back in LinearB:

• Upload the XML under Upload Identity Provider Metadata.
• Click Save.

Note: Azure automatically populates the Login URL, Logout URL, and Microsoft Entra Identifier. LinearB extracts the certificate and endpoints from the metadata XML.

Microsoft Entra must send the correct SAML attributes to LinearB.

Required Attributes

To configure:

1. Go to User Attributes & Claims in the Azure SAML settings.
2. Click Add new claim.
3. Enter the name exactly as required (e.g., email).
4. Set the source as Attribute.
5. Select user.mail (or another required field).
6. Save each claim.

By default, no one can sign in until assigned.

1. In the app, open Users and Groups.
2. Click + Add user/group.
3. Select the users or groups who should access LinearB.
4. Click Assign.

Tip: Most organizations assign a security group (e.g., Engineering, Developers, All Employees).

1. Return to the LinearB SSO settings page.
2. Click Test Connection.
3. Sign in with your Microsoft Entra account when prompted.

If successful, LinearB will confirm with a green success message.

Common causes of failed tests:

• User not assigned to the Azure app
• Incorrect email claim
• Metadata file not uploaded
• Certificate mismatch

1. “User not recognized”

• Verify the email claim matches the user’s LinearB login email exactly.

2. “Invalid SAML response”

• Ensure the Entity ID and ACS URL match LinearB’s values.
• Confirm your metadata XML is current.

3. Assigned users still cannot sign in

• Check Users and Groups to ensure the user is assigned.

4. Certificate or signature errors

• Download a fresh metadata XML from Azure and re-upload it to LinearB.

Does LinearB support SCIM with Microsoft Entra?
Not yet. SCIM provisioning is only supported for Okta at this time.

Can we force all users to authenticate via SSO?
Yes. Your CSM can enable “SSO Required” so users must authenticate through Microsoft Entra.

Can contractors or external users authenticate?
Yes, as long as they exist in your Microsoft Entra tenant and are assigned to the LinearB application.