What is Microsoft SSO?
Microsoft Single Sign-On allows users in your organization to log in to Dema using their existing Microsoft credentials. This is configured through a SAML connection with Microsoft Entra ID (formerly Azure Active Directory), enabling centralized access management and enhanced security.
Prerequisites
Before setting up Microsoft SSO, make sure:
- You have admin access in Dema.
- Someone from your IT department has access to your organization’s Microsoft Entra ID (Azure portal).
- You have identified the email domains that should require SSO login (e.g.
yourcompany.com).
How the setup works
Configuring Microsoft SSO is a two-way exchange between your organization and Dema. Your IT team provides a set of values from Microsoft Entra ID, and in return receives a set of values from Dema to complete the configuration.
Your IT team needs to supply the following values from Microsoft Entra ID:
| Field | Description |
|---|
| Login URL | The URL where users are redirected to authenticate. Found in the Entra ID enterprise application under Single sign-on → SAML. |
| Microsoft Entra Identifier | A unique identifier for your Entra ID tenant, used to verify the identity provider. Also referred to as the Entity ID on the Microsoft side. |
| SSO domains | The list of email domains that should require the SSO connection (e.g. yourcompany.com, subsidiary.com). Users with these domains will be directed to Microsoft login. |
These values are available in the Microsoft Entra admin center under Enterprise applications → Your application → Single sign-on.
Step 2: Receive configuration values from Dema
Once Dema receives your information, we will provide the following values that your IT team needs to enter in Microsoft Entra ID:
| Field | Where to enter in Entra ID |
|---|
| Reply URL (Assertion Consumer Service URL) | Under Basic SAML Configuration → Reply URL. This is the endpoint Dema uses to receive the SAML response. |
| Identifier (Entity ID) | Under Basic SAML Configuration → Identifier. This identifies Dema as the service provider. |
| Metadata URL | Can be used to auto-populate the SAML configuration on the Microsoft side. |
Both sides must complete their configuration for SSO to work. Users will not be able to log in via Microsoft until the setup is finalized on both ends.
Step 3: Verify the connection
After both sides have completed the configuration:
- A user with an SSO-enforced domain navigates to the Dema login page.
- They are automatically redirected to the Microsoft login screen.
- After authenticating with Microsoft, they are returned to Dema and logged in.
We recommend testing with a single user before rolling out SSO to your entire organization.
Frequently asked questions
Can users still log in with email and password after SSO is enabled?
Users whose email domain is included in the SSO domains list will be required to authenticate through Microsoft. Other users in your organization can continue using email and password.
Do users need to be invited to Dema first?
Yes. Users must be invited to your Dema organization before they can log in via SSO. Admins can invite users from Settings → Members → Invite Member.
How long does the setup take?
The setup itself takes only a few minutes on each side. The main requirement is coordination between your IT team and Dema to exchange the configuration values.
Can we use Microsoft SSO alongside Google SSO?
Yes. Different users within the same organization can use different SSO providers depending on their email domain configuration.
