Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.dema.ai/llms.txt

Use this file to discover all available pages before exploring further.

What is Microsoft SSO?

Microsoft Single Sign-On allows users in your organization to log in to Dema using their existing Microsoft credentials. This is configured through a SAML connection with Microsoft Entra ID (formerly Azure Active Directory), enabling centralized access management and enhanced security.

Prerequisites

Before setting up Microsoft SSO, make sure:
  • You have admin access in Dema.
  • Someone from your IT department has access to your organization’s Microsoft Azure portal.
  • You have identified the email domains that should require SSO login (e.g. yourcompany.com).

How the setup works

Configuring Microsoft SSO is a coordinated process between your IT team and Dema. Dema provides a set of SAML values that your IT team enters into Microsoft Entra ID. Once configured, your IT team shares back a metadata URL to complete the connection.

Step 1: Receive SAML values from Dema

Contact your Dema representative to initiate the SSO setup. Provide the email domains that should require SSO (e.g. yourcompany.com). Dema will respond with two values that your IT team needs for the Microsoft configuration:
FieldDescription
Reply URL (Assertion Consumer Service URL)The endpoint where Microsoft sends the SAML response after a user authenticates.
Identifier (Entity ID)A unique identifier that tells Microsoft which service provider the SAML connection is for.
Keep these values ready since they are needed in Step 4 below.

Step 2: Create an enterprise application in Microsoft

Your IT team performs the following steps in the Microsoft Azure portal:
  1. Sign in to the Microsoft Azure portal.
  2. Navigate to Enterprise applications (found under the Azure Services section, or under All services → Identity).
  3. Select New application.
  4. Select Create your own application.
  5. Enter a name for the application (e.g. your company name or “Dema SSO”).
  6. Choose Integrate any other application you don’t find in the gallery (Non-gallery).
  7. Select Create.

Step 3: Assign users or groups

Before users can authenticate via SSO, they must be assigned to the enterprise application:
  1. In the enterprise application’s Getting Started section, select Assign users and groups.
  2. Select Add user/group.
  3. Search for and select the users or groups who should have access.
  4. Select Assign.
You can assign individual users or entire groups. For detailed instructions on group assignment, refer to Microsoft’s documentation.

Step 4: Configure SAML settings

  1. In the application’s sidebar, open Manage and select Single sign-on.
  2. Choose SAML as the sign-on method.
  3. In the Basic SAML Configuration section, select Edit.
  4. Enter the values provided by Dema:
    • Identifier (Entity ID) — paste the Identifier value from Step 1.
    • Reply URL (Assertion Consumer Service URL) — paste the Reply URL value from Step 1.
  5. Select Save and close the panel.

Step 5: Verify attribute mappings

On the same Set up Single Sign-On with SAML page, find the Attributes & Claims section and verify the following mappings are present:
AttributeClaim nameExpected value
Email address (required)http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuser.mail
First name (optional)http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameuser.givenname
Last name (optional)http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameuser.surname
These are the default attribute mappings and typically do not require changes. However, incorrect attribute mappings are a common source of SAML configuration errors, so it is worth verifying.

Step 6: Share the metadata URL with Dema

  1. On the Set up Single Sign-On with SAML page, find the SAML Certificates section.
  2. Copy the App Federation Metadata Url.
  3. Send this URL to your Dema representative.
This is the final piece of information needed to complete the SSO connection on Dema’s side.
Both sides must complete their configuration for SSO to work. Users will not be able to log in via Microsoft until Dema has processed the metadata URL and enabled the connection.

Step 7: Verify the connection

After Dema confirms the connection is active:
  1. A user with an SSO-enforced email domain navigates to the Dema login page.
  2. They are automatically redirected to the Microsoft login screen.
  3. After authenticating with Microsoft, they are returned to Dema and logged in.
We recommend testing with a single user before rolling out SSO to your entire organization.

Frequently asked questions

Can users still log in with email and password after SSO is enabled?

Users whose email domain is included in the SSO domains list will be required to authenticate through Microsoft. Other users in your organization can continue using email and password.

Do users need to be invited to Dema first?

Yes. Users must be invited to your Dema organization before they can log in via SSO. Admins can invite users from Settings → Members → Invite Member.

How long does the setup take?

The technical configuration takes only a few minutes on each side. The main requirement is coordination between your IT team and Dema to exchange the configuration values.

Can we use Microsoft SSO alongside Google SSO?

Yes. Different users within the same organization can use different SSO providers depending on their email domain configuration.