Overview
Optimal supports the SAML 2.0 protocol, which is fully compatible with Microsoft Entra ID (formerly Azure Active Directory). The setup uses Entra ID's standard non-gallery enterprise application flow — no Optimal-specific gallery app is required.
This guide supplements our main article: Set up single sign-on (SSO) with Optimal. Please follow that article for the overall process (access to the SSO self-service portal, testing, and submission).
The steps below cover the Entra ID side specifically.
Before you begin
You'll need access to Optimal's SSO self-service portal (contact support@optimalworkshop.com if you don't have it yet). Optimal's SAML settings — Single-sign-on URL (ACS URL) and Service Provider Entity ID — are found under Set up > Service Provider in the portal.
In Entra ID, you'll need a role that can manage enterprise applications (e.g. Cloud Application Administrator).
Step 1: Create the Optimal application in Entra ID
In the Microsoft Entra admin center, go to Entra ID > Enterprise applications > New application.
Select Create your own application.
Name it (e.g. "Optimal"), choose Integrate any other application you don't find in the gallery (Non-gallery), and select Create.
Step 2: Configure SAML
In the new application, go to Single sign-on and select SAML.
Under Basic SAML Configuration, select Edit and enter:
Entra ID field | Value (from Optimal's self-service portal) |
Identifier (Entity ID) | Optimal's Service Provider Entity ID |
Reply URL (Assertion Consumer Service URL) | Optimal's Single-sign-on URL |
Select Save. (Sign on URL, Relay State, and Logout URL can be left blank — Optimal doesn't require a relay state and doesn't support SAML single logout.)
Step 3: Configure the Name ID and attribute claims
Optimal identifies users by email address, and requires first name and last name attributes for seamless user creation.
Under Attributes & Claims, select Edit.
For the Unique User Identifier (Name ID) claim, set:
Name identifier format: Email address
Source attribute:
user.mail(oruser.userprincipalnameif UPNs match users' email addresses)
Add two claims for the name attributes:
First name → source attribute
user.givennameLast name → source attribute
user.surname
Note: Entra ID's default claims include a long URI namespace (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname). When adding the name claims, set the claim Name to the attribute key shown in Optimal's self-service portal and leave the Namespace field blank. If you need to use custom attribute keys, contact support@optimalworkshop.com.
Step 4: Assign users
In the application, go to Users and groups > Add user/group and assign everyone who will log in to Optimal — including yourself, so you can run the verification test. Unassigned users will be blocked by Entra ID when they try to sign in.
Step 5: Provide your Entra ID metadata to Optimal
On the application's Single sign-on (SAML) page, find the SAML Certificates section.
Download the Federation Metadata XML.
Open the file, copy its full contents, and paste it into the Identity Provider tab of Optimal's SSO self-service portal.
List all email domains your users will authenticate with.
Step 6: Test and submit
In Optimal's self-service portal, select Verify setup. This simulates a login through Entra ID and shows the SAML response we receive, with checks for each requirement. Once all statuses are green, hit Submit. We'll run final checks on our side and activate SSO, typically within 5 business days.
Troubleshooting tips
"AADSTS50105: The signed in user is not assigned to a role" — the user isn't assigned to the application in Entra ID (see Step 4).
"AADSTS700016 / Application not found" — the Identifier (Entity ID) in Entra ID doesn't exactly match Optimal's Service Provider Entity ID.
Reply URL mismatch errors — re-check the Reply URL against the Single-sign-on URL in Optimal's portal; it must match exactly.
User prompted for first/last name on first login — the name claims aren't mapped or are using namespaced claim names (see Step 3).
Questions? Contact support@optimalworkshop.com.