Entra SSO (Enterprise App/App Registration)

Microsoft Entra Single Sign-On (SSO) provides secure, centralized authentication for applications using SAML 2.0. This allows UGA users to access multiple applications with one set of credentials and ArchPass-powered Multi-Factor Authentication (MFA).

SSO Integration Options

There are two ways to enable SSO in Microsoft Entra: Enterprise Applications and App Registrations.

Enterprise Applications

Enterprise Applications represent existing apps (often SaaS or third-party) that you want to integrate with Microsoft Entra for authentication.

  • When to use: 
    • You are configuring SSO for a vendor-provided or gallery app (e.g., Salesforce, ServiceNow).
  • Supported protocol: 
    • SAML 2.0 – XML-based standard for exchanging authentication and authorization data.
  • Key actions: 
    • Select the app from the gallery or create a non-gallery app.
    • Configure SAML settings (Entity ID, ACS URL, and certificate).
    • Assign users and groups for access.

For more information visit Microsoft's documentation on Enabling SAML single sign-on for an enterprise application

App Registrations

App Registrations represent new or custom applications that you want to integrate with Microsoft Entra for authentication.

  • When to use: 
    • You are building or onboarding a custom app that requires SAML-based authentication.
  • Supported protocol: 
    • SAML 2.0 – Ideal for web-based apps requiring federation.
  • Key actions: 
    • Register the app in Microsoft Entra.
    • Configure SAML settings (redirect URIs, token claims).
    • Assign users and groups for access.

Microsoft Documentation for Custom applications: Configure OIDC SSO for gallery and custom applications

Adding ArchPass MFA to Your Application

At UGA, ArchPass powered by Duo is enforced through Microsoft Entra Conditional Access policies, not by configuring Duo directly in the app.

Here are the steps for enabling ArchPass MFA on your app.

  1. Complete SAML Integration

  1. Configure your app as an Enterprise Application or App Registration in Microsoft Entra.

  1. Check Existing Conditional Access Policies.

  1. UGA enforces MFA for all users and apps through a tenant-wide policy.

  1. Verify ArchPass Enforcement

  1. When users sign in to the app, they will be prompted for MFA using ArchPass powered by Duo.

 

Print Article