1. Docs
  2. Pulumi Cloud
  3. Identity & access management
  4. SAML(SSO)
  5. Microsoft Entra ID

SAML: Configuring Microsoft Entra ID

    This guide walks you through configuring Microsoft Entra ID as a SAML SSO identity provider (IDP) for the Pulumi Cloud.

    Prerequisites

    Configuring Microsoft Entra ID

    Add an application to your Entra ID tenant

    1. In the Azure portal, on the left navigation panel, select Microsoft Entra ID.

    2. Select Add then in the dropdown, select Enterprise application. It will take you to the Microsoft Entra Gallery.

      New application

    3. Select Create your own application and in the Create your own application panel, enter Pulumi Cloud as the application name. Make sure the Non-gallery option is selected, then select Create.

      Non-gallery application

    4. In the new Pulumi Cloud application, navigate to the Single sign-on section, and select SAML.

      Single sign-on settings

    5. Select the Edit icon on the Basic SAML Configuration panel.

      SAML configuration

    Enter Pulumi configuration into your Entra ID application

    The values you need to use are dependent upon your Pulumi organization name. Be sure to replace acmecorp with your actual organization name.

    SAML SettingValue
    Identifier (Entity ID)https://api.pulumi.com/login/<acmecorp>/sso/saml/metadata
    Reply URLhttps://api.pulumi.com/login/<acmecorp>/sso/saml/acs
    Relay Statehttps://api.pulumi.com/login/<acmecorp>/sso

    Edited SAML configuration

    Configure the name identifier format

    1. Select the Edit icon on the Attributes & Claims panel.

      User Attributes & Claims Panel

    2. Then, select Unique User Identifier (Name ID) under Required claim.

      User Attributes & Claims

    3. In the Manage User Claims panel, expand Choose name identifier format and select Email address.

      Manage Name Identifier Format

    4. Finally, select Save at the bottom of the Manage User Claims panel.

    Important: Do not change the value of Name ID Format value once your users have started using Pulumi—not even switching its value between Email or Persistent.
    Note: Be sure to assign users and groups to use your new Pulumi Cloud SAML application. That is how you can control membership access to your Pulumi organization. See the Entra ID documentation for more information.

    Now that the Entra ID side of the SAML SSO configuration is complete, you will need to configure the Pulumi Cloud to receive SAML SSO requests from your Entra ID application.

    Configuring Your Pulumi Organization

    To configure your Pulumi organization to accept SAML SSO requests from Entra ID, you will need to download the SAML application’s configuration data and then pass that to Pulumi.

    1. Back on the Entra ID application’s settings page, select the SAML Certificates panel. Then select Download next to Federated Metadata XML and save the resulting file.

      Download XML

    2. Sign into the Pulumi Cloud and navigate to your SAML organization. Navigate to the Settings tab and then select Access Management.

    3. Select the Change Requirements button and then SAML SSO.

    4. Open up the XML document you downloaded from the Entra ID portal, and paste its full contents into the text box.

      Provide the XML IDP descriptor

    5. Select Apply changes.

    Signing into Pulumi using Entra ID

    Once your Entra ID application is created, and its configuration data passed to Pulumi, you can now sign in to the Pulumi Cloud using your SAML SSO credentials.

    Navigate to https://app.pulumi.com/signin/sso/ and enter the name of your Pulumi organization. If everything is configured correctly, you should be prompted to sign in to your Entra ID instance, and then immediately be redirected back to the Pulumi Cloud.

    Pulumi Cloud

    Troubleshooting

    If you have any trouble configuring Entra ID, signing into Pulumi, or need additional assistance, please contact support.

      Platform Engineering Workshop Series - Register Now