> ## Documentation Index
> Fetch the complete documentation index at: https://docs.honeycomb.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Access with Microsoft Entra ID/SAML SSO

> Require your Honeycomb Team to authenticate via Microsoft Entra ID, formerly Azure Active Directory.

<Badge className="hny-badge-enterprise">Ent</Badge><Badge className="hny-badge-pro">Pro</Badge>

<Info>
  This feature is available as part of the [Honeycomb Pro and Enterprise plans](https://www.honeycomb.io/pricing/).
</Info>

Enable single sign-on (SSO) to authenticate to Honeycomb with your Microsoft Entra account.
Microsoft Entra ID is formerly known as Microsoft Azure Active Directory (Azure AD).

In Honeycomb, Team Owners can require that their team members authenticate using Single Sign-On (SSO) via an external SAML 2.0 Identity Provider, such as Okta or Microsoft Entra ID.

When you configure SSO via an external SAML Identity Provider, you must get information generated during the configuration process from both Honeycomb and your Identity Provider.
Because you will also need to enter information into both Honeycomb and your Identity Provider's user interface, you will need to use more than one browser tab.

<Note>
  In this guide, we demonstrate a SAML Identity Provider configuration using Microsoft Entra ID.
  If you are using a different SAML Identity Provider, field names and locations may vary, so you will need to locate the corresponding fields in your Identity Provider's user interface.
</Note>

## Before You Begin

To successfully complete this guide, you should have an active [Microsoft Entra](https://entra.microsoft.com/) account.

<Warning>
  Once SSO is enabled for your Honeycomb Team, all users on your team will need to authenticate through that SSO provider to access the team.
  Any users that do not exist within your team's chosen SSO provider will not be able to log in.
</Warning>

<Note>
  A Honeycomb account can be linked to more than one SAML IdP, so linking this account won't affect any existing IdP connections.
</Note>

## Enable SSO in Honeycomb

To begin, enable SSO in Honeycomb, which will allow you to get Honeycomb's Service Provider settings:

1. In Honeycomb, navigate to **Account** > **Team Settings**, and select the **Team Details** view.

2. Locate the **Single Sign-On** section, which displays any previous SSO configuration.

3. If your team is already configured to use Google SSO, turn off Google SSO.

   <Frame>
     <img src="https://mintcdn.com/honeycomb/43K0N5kGXUhKPs19/_assets/images/sso/okta/hny-team-settings-sso-turn-off-google.png?fit=max&auto=format&n=43K0N5kGXUhKPs19&q=85&s=0378c2c5fe2171f8fb58b4c76e896ab9" alt="Turn off SSO" width="1297" height="474" data-path="_assets/images/sso/okta/hny-team-settings-sso-turn-off-google.png" />
   </Frame>

4. Select **Enable SSO**.

   <Frame>
     <img src="https://mintcdn.com/honeycomb/43K0N5kGXUhKPs19/_assets/images/sso/okta/hny-team-settings-sso-enable.png?fit=max&auto=format&n=43K0N5kGXUhKPs19&q=85&s=7e91d3bc23f5053305bb078eaa5cca7f" alt="Enable SSO" width="1297" height="173" data-path="_assets/images/sso/okta/hny-team-settings-sso-enable.png" />
   </Frame>

5. In the SSO provider configuration modal, select **SAML/Okta**, then select **Next**.

6. Locate the settings required by your Identity Provider. Information you will need includes:

   * Service Provider Issuer
   * Service Provider ACS URL
   * Service Provider Certificate (optional, used when your Identity Provider requires encrypted SAML assertions or signed authentication requests)

   Leave this browser tab open, so you will have the information you need to configure your Identity Provider.

   <Frame>
     <img src="https://mintcdn.com/honeycomb/43K0N5kGXUhKPs19/_assets/images/sso/okta/hny-team-settings-sso-saml-settings-empty.png?fit=max&auto=format&n=43K0N5kGXUhKPs19&q=85&s=3177f2ff5e3d0089c29a2fb52478f9a1" alt="SAML Honeycomb settings screen" width="1225" height="1340" data-path="_assets/images/sso/okta/hny-team-settings-sso-saml-settings-empty.png" />
   </Frame>

   <Note>
     Honeycomb generates a unique identifier based on your team name. You will see the identifier appended to the values in the **Service Provider Issuer** and **Service Provider ACS URL** fields. For this example, the team name is `Crewbacca`, so the team's generated identifier is `crewbacca`.
   </Note>

## Configure Your Identity Provider

Next, configure your Identity Provider to work with Honeycomb.
To do this, you must set up SSO for an application integration in your Identity Provider, and then specify which users should be able to use SSO to log in to your team in Honeycomb.

When you configure your Identity Provider, you must [provide exact configuration values for your SAML attributes](#exact-configuration-values).

<Note>
  In this section, we demonstrate a typical SAML Identity Provider configuration using Microsoft Entra ID.
  If you are using a different SAML Identity Provider, field names and locations may vary, so you will need to locate the corresponding fields in your Identity Provider's user interface.
</Note>

### Set Up SSO

Set up SSO in your Identity Provider using the Service Provider settings you retrieved from Honeycomb:

1. Open a new browser tab, and go to your Microsoft Entra admin center.

2. In Microsoft Entra, go to **Dashboard** > **Enterprise Applications** > **Overview**.

3. Select **+ New application** and a Browse Microsoft Entra Gallery display appears.

4. Select **Create your own application**.

5. When prompted, name your app in the format "Honeycomb \[Your Team Name]" and select the **Integrate any other applications you don't find in the gallery (Non-gallery)** radio option.

   <Frame>
     <img src="https://mintcdn.com/honeycomb/43K0N5kGXUhKPs19/_assets/images/sso/microsoft-entra-id/ms-entra-app.png?fit=max&auto=format&n=43K0N5kGXUhKPs19&q=85&s=aeded1d41bc665868d37e03e9d2b1cce" alt="Microsoft Entra Create your own application modal" width="577" height="393" data-path="_assets/images/sso/microsoft-entra-id/ms-entra-app.png" />
   </Frame>

   <Tip>
     Because you can have multiple Honeycomb teams connected to SSO and separate SSO configurations for each Honeycomb team, ensure your chosen application name clearly defines which team uses this SSO integration.
     The application name will appear in your application directory after installation.
     For this example, our team name is `Crewbacca`, so we name our application `Honeycomb [Crewbacca]`.
   </Tip>

6. Assign yourself access to the new Honeycomb enterprise application.
   Your user account must be assigned to the Honeycomb application in order to finish configuration.
   You may assign other users to the application now, or you can wait and add more users later.

7. Select **SAML** as the single sign-on method.

8. For **Set up Single Sign-On with SAML**, locate the **Basic SAML Configuration** section, and enter your retrieved Honeycomb setting values according to the following mapping:

   | Microsoft Entra ID Field                       | Honeycomb Setting Name                                                                                    |
   | ---------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
   | **Identifier (Entity ID)**                     | **Service Provider Issuer/Entity ID**                                                                     |
   | **Reply URL (Assertion Consumer Service URL)** | **Service Provider ACS URL**                                                                              |
   | **Sign on URL**                                | The `honeycomb.io` base domain from the URLs above plus the path `/login/sso/{team_slug}`. See tip below. |

   <Tip>
     To find the **Sign on URL** value for Microsoft Entra ID, navigate in Honeycomb to **Account** > **Team Settings** > **Team Details**, scroll to the **Single Sign-On** section, and copy the URL that appears in the paragraph for "manually visit `https://ui.honeycomb.io/login/sso/<your team slug>`.
   </Tip>

   <a id="exact-configuration-values" />

9. Locate the **Attribute & Claims** section, and add the following values:

   <Info>
     The values for SAML attributes must be the exact values we provide below.
     For example, for the `Email` attribute, enter `user.mail`--not the actual email address of the user.
   </Info>

   | Attribute Name           | Value                    |
   | ------------------------ | ------------------------ |
   | `Email`                  | `user.mail`              |
   | `FirstName`              | `user.givenname`         |
   | `LastName`               | `user.surname`           |
   | `Unique User Identifier` | `user.userprincipalname` |

   All attributes should have no namespace.

   Leave advanced SAML claims options as their defaults:

   | Advanced SAML Claims Option     | Value      |
   | ------------------------------- | ---------- |
   | `Include attribute name format` | `Disabled` |
   | `Issuer with application ID`    | `Disabled` |
   | `Audience override`             | `none`     |

When you have finished, your complete Microsoft Entra SAML configuration for Honeycomb should look similar to our example:

<Frame>
  <img src="https://mintcdn.com/honeycomb/43K0N5kGXUhKPs19/_assets/images/sso/microsoft-entra-id/ms-entra-complete.png?fit=max&auto=format&n=43K0N5kGXUhKPs19&q=85&s=6031582247e0e9200aa1f34f655b3bc8" alt="Complete Microsoft Entra SAML configuration for Honeycomb" width="1069" height="1067" data-path="_assets/images/sso/microsoft-entra-id/ms-entra-complete.png" />
</Frame>

## Configure Honeycomb

Finally, configure SSO in Honeycomb using the Identity Provider settings you retrieved from your Identity Provider.

Microsoft Entra provides a metadata URL, which allows Honeycomb to fetch the settings it needs and update them automatically.

To automatically configure SSO in Honeycomb:

1. Switch to the browser tab that contains your Honeycomb Service Provider settings.
2. In Microsoft Entra, locate **App Federation Metadata Url** under the **SAML Certificates** section and copy it.
3. In Honeycomb, paste the **App Federation Metadata Url** you copied from your Identity Provider into **Identity Provider Metadata URL**.
4. Select **Convert to SAML SSO Team**.

You should see the SAML authentication flow begin.
If successful, your team should now be able to use SAML SSO to authenticate.

## Log in to Honeycomb using your Microsoft Entra ID/ SAML SSO account

To learn how to log in when Microsoft Entra ID / SAML SSO is configured for your Team, visit [Log in with SAML SSO](/get-started/honeycomb/log-in-with-saml-sso/).

## Certificate rotation

When Honeycomb releases updated Service Provider certificates, you will see a warning notification in your team's SAML settings.
To update to the new certificate, see [SAML Certificate Rotation](/configure/teams/configure-access/saml-certificate-rotation/).

## Troubleshooting

To explore common issues when configuring access, visit [Common Issues with Configuring Honeycomb: Microsoft Entra ID SSO](/troubleshoot/common-issues/configuring-honeycomb/#microsoft-entra-id-sso).