Minimum Software Version8.18.10
Solution(s)Cases International Cases US Institutions Counsel

This article explains how to configure Microsoft Entra ID (formerly Azure AD) as an Identity Provider (IdP) to enable SAML‑based Single Sign On (SSO) with the Opus 2 platform.


Opus 2 supports SAML 2.0 authentication using Microsoft Entra ID. To enable Single Sign On, an Enterprise Application must be created in Microsoft Entra and configured with the correct SAML values, claims, and identifiers supplied by Opus 2.

These instructions act as a reference guide only. Administrators should also consult Microsoft’s official documentation for additional details and security considerations.

Create the Application with SAML

  1. In the Microsoft Entra (Azure) Admin Center, create a new Enterprise Application.
  2. Select SAML as the authentication method.
  3. The Set up Single Sign-On with SAML page will be displayed. 

Note: SAML configuration requires the application to support SAML 2.0.

Configure Basic SAML Configuration

  1. Navigate to Basic SAML Configuration.
  2. Select the Edit (pencil) icon.
  3. Populate the following fields using the values provided by Opus 2:
    • Identifier (Entity ID)
    • Reply URL (Assertion Consumer Service – ACS)
  4. Save the changes. 

Example:
Enter the Opus 2‑provided Entity ID and Reply URL exactly as supplied to ensure successful authentication.

Configure User Attributes and Claims

Opus 2 requires specific claims to be released during authentication.

  1. In the User Attributes & Claims section, select Edit.
  2. Configure the attributes as follows:

Name Identifier

  • Value: user.userprincipalname
  • Format: emailAddress

Additional Claims

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuser.mail
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameuser.surname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameuser.givenname
  1. Save the configuration.
    ParameterValue
    Name Identifier Valueuser.userprincipalname [nameid-format:emailAddress]
    ParameterValue
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuser.mail
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameuser.surname
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname user.givenname

Example:
Ensure both first name and last name claims are included so Opus 2 can correctly create and identify user accounts.

Provide Federation Metadata and Login URL

On the Set up Single Sign-On with SAML page:

  1. Copy the App Federation Metadata URL.
  2. Copy the Login URL.
  3. Provide both values to Opus 2 Platform Support or your Opus 2 contact.

Once these URLs are supplied, the Opus 2 SSO configuration is complete.

Assign Users and Groups (Optional)

By default, Microsoft Entra only allows authentication for users or groups explicitly assigned to the application.

To assign users or groups:

  1. In the application sidebar, select Users and Groups.
  2. Click Add user/group.
  3. Select Users and Groups.
  4. Choose the user(s) or group(s) to be assigned.
  5. Click Assign.Application users and groups 

The selected users or groups will now be authorized to sign in using SSO.

Example:
Assign a security group containing litigation team members to restrict SSO access to approved users only.


After completing the Microsoft Entra configuration, test SSO with a pilot user to confirm successful authentication. If you require validation, troubleshooting, or your configuration differs from this guide, contact Opus 2 Platform Support for assistance.