Federated domain

This guide provides step-by-step instructions for configuring Pointsharp IdP as a SAML 2.0 Identity Provider for Microsoft Entra domain federation. This enables users to sign in to Microsoft 365 and other Entra-secured resources using your on-premises directory via SAML.

Prerequisites

  • You have a working Pointsharp IdP installation.

  • You have administrative access to a Microsoft Entra tenant and custom domain.

  • You need to have access to configure LDAP user federation in Pointsharp IdP.

Follow each section in order to complete the SAML federation setup. The custom NameID mapper ensures the correct NameID format for Entra federation.

Import Microsoft Entra metadata and create SAML client

  1. Download the Microsoft Entra SAML metadata file from:

    https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

  2. Log in to the Pointsharp IdP Admin GUI as an administrator.

  3. In the left-hand menu, navigate to Clients.

  4. Click Import Client.

  5. In the import dialog, Browse and select the downloaded Microsoft Entra metadata XML file.

  6. Click Import.

  7. A new SAML client will be created automatically with the correct endpoints, EntityID, and ACS URL from the metadata.

  8. Click the newly created client in the list to review and adjust settings:

    • Go to the Settings tab.

    • Ensure the NameID format is set to persistent.

    • Ensure the SAML binding is set to HTTP-POST.

    • If not already present, upload the IdP signing certificate (used later for Entra configuration).

  9. Click Save to store the client configuration.

Add ObjectGUID to LDAP user federation

  1. In the Pointsharp IdP Admin GUI, go to User Federation and select your LDAP provider.

  2. Go to the Mappers tab.

  3. Click Add mapper a user attribute mapper:

    • Name: objectGUID

    • Mapper type: user-attribute-ldap-mapper

    • User Model Attribute: objectGUID

    • LDAP Attribute: objectGUID

    • Always Read Value From LDAP: Yes

  4. Save and synchronize users to ensure objectGUID is available on user objects.

Configure the Pointsharp Entra ID NameID mapper

In the Pointsharp IdP Admin GUI, add the Pointsharp Entra ID NameID Mapper to your SAML client configuration:

  1. In the SAML client for Entra, go to the Mappers tab.

  2. Add a new mapper:

    • Mapper Type: Pointsharp User Attribute Mapper for Entra ID

    • User Attribute: objectGUID

    • NameID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

  3. Save the mapper. This will set the SAML NameID to the base64-encoded objectGUID as required by Entra.

Add required SAML attributes

  1. In the SAML client, add an attribute mapper for UPN:

    • Name: IDPEmail

    • Mapper type: User Attribute

    • User Attribute: mail or userPrincipalName (as appropriate)

    • SAML Attribute Name: IDPEmail

  2. Save the mapper.

Export the IdP Signing Certificate (idp-signing.cer)

To configure Microsoft Entra federation, you need the IdP signing certificate in Base64-encoded (CER) format. Follow these steps to extract it from Pointsharp IdP:

  1. Log in to the Pointsharp IdP Admin GUI as an administrator.

  2. In the left-hand menu, navigate to Realm Settings.

  3. Go to the Keys tab.

  4. Locate the active signing key used for SAML assertions (marked as "SIG").

  5. Click Certificate next to the signing key.

  6. Download the certificate in X.509 PEM or Base64 (.cer) format.If the certificate is in PEM format (-----BEGIN CERTIFICATE----- …​), you can rename the file extension to .cer or use as-is for PowerShell import.

  7. Save the file as idp-signing.cer and transfer it to the machine where you will run the PowerShell configuration for Entra federation.

You will use this certificate file in the PowerShell steps to configure the federated domain.

Configure Entra ID domain federation

  1. In PowerShell, connect to Microsoft Graph:

    $ Connect-MgGraph -Scopes "Domain.ReadWrite.All"

  2. Configure the domain for SAML federation (replace values as needed):

    $Domain = "yourdomain.com"
$LogOnUrl = "https://<idp-fqdn>/realms/<realm>/protocol/saml"
$LogOffUrl = "https://<idp-fqdn>/realms/<realm>/protocol/saml/logout"
$MyUri = "<EntityID from IdP>"
$idptokensigningcert = [System.Security.Cryptography.X509Certificates.X509Certificate2]("C:\temp\idp-signing.cer")
$MySigningCert = [system.convert]::tobase64string($idptokensigningcert.rawdata)
$Protocol = "saml"
    New-MgDomainFederationConfiguration `
-DomainId $Domain `
-PassiveSignInUri $LogOnUrl `
-PreferredAuthenticationProtocol $Protocol `
-SignOutUri $LogOffUrl `
-IssuerUri $MyUri `
-SigningCertificate $MySigningCert

Verification and troubleshooting

  • Test sign-in to Microsoft 365 or Entra-secured resources using a federated user.

  • If login fails:

    • Check SAML response for correct NameID and IDPEmail values

    • Ensure the IdP signing certificate matches what is configured in Entra

    • Verify time synchronization between IdP and Entra

    • Review logs in both Pointsharp IdP and Entra

  • Use the Microsoft Connectivity Analyzer to test SAML federation.