Microsoft Entra (SAML 2.0)
This topic describes how to configure single sign-on (SSO) with Microsoft Entra using the SAML 2.0 protocol.
In this guide, Zilliz Cloud acts as the Service Provider (SP) and Microsoft Entra acts as the Identity Provider (IdP). The following digram illustrates the necessary steps in Zilliz Cloud and Microsoft Entra admin center.
Before you start
-
Your Zilliz Cloud organization has at least one Dedicated (Enterprise) cluster.
-
You have access to the Microsoft Entra admin center. For more information, refer to Microsoft Entra documentation.
-
You are the Organization Owner in the Zilliz Cloud organization where SSO is to be configured.
Configuration steps
Step 1: Access SP details in Zilliz Cloud console
As the SP, Zilliz Cloud provides the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) required when setting up your SAML application in Microsoft Entra.
-
Log in to the Zilliz Cloud console and go to the organization for which you want to configure SSO.
-
In the left-side navigation pane, click Settings.
-
On the Settings page, find the Single Sign-On (SSO) section and click Configure.
-
In the dialog box that appears, choose Microsoft Entra (SAML 2.0) as your IdP and protocol.
-
In the Service Provider Details card, copy your Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL). These values will be required in Step 2 when setting up an application in Microsoft Entra admin center.
-
Once that's done, proceed to Step 2.
Step 2: Set up an application in Microsoft Entra admin center
In this step, you configure Microsoft Entra (the IdP) with the SP details obtained from Zilliz Cloud.
-
Log in to the Microsoft Entra admin center.
-
In the left-side navigation pane, click Enterprise apps.
-
On the page that appears, click New application. Then, click Create your own application.
-
In the Create your own application panel, set the application name to zilliz and select the Integrate any other application you don't find in the gallery (Non-gallery) option.
-
Then, Click Create. Once that's done, your application is created and you will be redirected to the application details page.
-
On the application details page, choose Single sign-on > SAML.
-
In the Basic SAML Configuration section, click Edit.
-
In the Identifier (Entity ID) area, click Add identifier. Then, paste Identifier (Entity ID) you copied from Zilliz Cloud console in Step 1 to the text box.
-
In the Reply URL (Assertion Consumer Service URL) area, click Add reply URL. Then, paste the Reply URL (Assertion Consumer Service URL) you copied from Zilliz Cloud console in Step 1 to the text box.
-
Click Save.
-
Once that's done, go back to the Single sign-on panel of the created application and copy the App Federation Metadata Url. It will be required in Zilliz Cloud console in Step 3.
📘NotesAlternatively, get the following details:
Step 3: Configure IdP settings in Zilliz Cloud console
In this step, you provide Microsoft Entra’s IdP details back to Zilliz Cloud to complete the SAML trust relationship.
-
Go back to the Zilliz Cloud console.
-
In the Identity Provider Details card of the Configure Single Sign-On (SSO) dialog box, paste the App Federation Metadata URL you copied from Microsoft Entra admin center in Step 2.
📘NotesAlternatively, if you select the Manual mode for IdP detail configuration, configure:
Login URL: Paste the Login URL you copied from Microsoft Entra admin center in Step 2 here.
Certificate (Base64): Upload the certificate you downloaded from Microsoft Entra admin center in Step 2 here. Make sure the entire certificate content, including the lines beginning with
-----BEGIN CERTIFICATE-----and ending with-----END CERTIFICATE-----, is provided.
-
Once that's done, click Save.
Post-configuration tasks
Task 1: Assign Microsoft Entra application to users
Before users can access Zilliz Cloud through SSO, you need to assign the Microsoft Entra application to them:
-
On the application page of the Microsoft Entra admin center, choose Users and groups > + Add user/group.
-
Select users or groups to grant them access to the application.
For details, refer to Microsoft Entra documentation.
Task 2: Invite users to your project
When users log in to Zilliz Cloud via SSO for the first time, they are registered as an Organization Member but have no access to any project by default.
-
The Organization Owner must invite them into the appropriate projects.
-
For step-by-step instructions on how to invite users to a project, refer to Manage Project Users.
After being invited to a project, the Organization Owner can share the Zilliz Cloud login URL with enterprise users so they can sign in through SSO.
If you encounter any issues during the setup or testing process, contact Zilliz support.
FAQ
What role is assigned to users who log in via SSO for the first time?
New users who do not already have a Zilliz Cloud account will be automatically created upon their first SSO login. These users are assigned the Organization Member role by default. You can modify their roles later in the Zilliz Cloud console. For detailed steps, refer to Manage Project Users.
How do users access projects after SSO login?
After logging in via SSO, users will have Organization Member role by default. To access specific projects, an Organization Owner or Project Admin must invite them to projects. For detailed steps, see Manage Project Users.
What happens if a user already has a Zilliz Cloud account before logging in with SSO?
If the user already exists in your Zilliz Cloud organization (based on their email), they will retain their original role and permissions when logging in via SSO. The system matches users by email address and does not overwrite existing accounts.
Can I configure multiple SSO providers for the same organization?
Currently, each Zilliz Cloud organization supports only one active SAML SSO configuration at a time.