Table of Contents
Please find steps below to setup SAML Single Sign-On with Azure AD.
Field Abbreviations
More general information is on the upper-level PBX SAML Module page.
Field | Abbreviation |
SP Entity ID | Service Provider Entity ID (FreePBX is service provider here, which is Identifier in Azure app) |
IdP Entity ID | Identity Provider Entity ID (Microsoft Azure AD is identity the provider here. This value is named as Microsoft Entra Identifier in the azure configuration.) |
SSO | Single sign on Login URL |
SLO | Single Logout URL |
IdP Certificate | Azure's X.509 certificate |
ACS | Assertion Consumer Service URL There are unique ACS for Admin, UCP and SCD login. Please refer the above Azure configuration steps for these URLs. |
Step-1 : Configure the Application in Azure AD
Go to Microsoft Azure
In the left-hand navigation menu, select Azure Active Directory.
Under Manage, click on Enterprise applications.
Navigate to: Enterprise applications
Click + New application
Choose Create your own application
Name your app (e.g., "My SAML App") and select Integrate any other application you don't find in the gallery and Click on create button
Step-2 : Configure Single Sign-On
After creation, go to the newly created app and select Set up single sign-on (click on Get started )
Choose SAML as the SSO method
Configure SAML with Azure
Click on edit button for the Basic SAML Configuration and fill in the details as per your PBX setup.
Identifier (Entity ID): Enter a unique name to identify your PBX, such as PBX-SAML.
Reply URL (Assertion Consumer Service URL): This is where Azure AD will send the SAML authentication response. Below are the URL formats that need to be added as Reply URLs.
Admin panel - https://<your_pbx_ip_or_domain>/admin/ajax.php?module=pbxsaml&command=checkSAMLAdmin
User control panel - https://<your_pbx_ip_or_domain>/admin/ajax.php?module=pbxsaml&command=checkSAMLUCP
Sangoma Client Desktop - https://<your_pbx_ip_or_domain>/admin/ajax.php?module=pbxsaml&command=checkSAMLSCD
After filling the above details, click on Save button to save configuration.
Please refer to the screenshot below for an example of a correctly configured SAML application in Azure AD.
Note: Add multiple Reply URLs one for Admin, one for UCP, and one for Sangoma Desktop client as mentioned in the formats above.
If your PBX web interface is configured to use a non-standard HTTPS port, you must include that port number in each ACS URL
Step-3 : Retrieve and Apply Azure AD SAML Details to PBX
From the Single sign-on configuration page in Azure AD, you will need to copy specific values and apply them to your PBX SAML configuration.
Download Federation Metadata
Scroll down to the SAML Signing Certificate section.
Click Download next to Federation Metadata XML.
Save the XML file — you will need it for the X.509 Certificate and other configuration fields.
Open the XML file and extract the value of the X.509Certificate. You’ll use this in the PBX SAML configuration later.
Copy Required SAML Configuration Values
From the Set up [Your App Name] section:
Login URL:
Copy this value and paste it into the SSO field in the PBX SAML configuration.Microsoft Entra Identifier:
Copy this value and paste it into the IdP Entity ID field in the PBX SAML configuration.Logout URL:
Copy this value and paste it into the SLO (Single Logout URL) field in the PBX SAML configuration.
Ensure all values are copied exactly as shown in the Azure portal to avoid authentication issues.