HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Azure Active Directory SAML SSO Configuration

This page explains how to set up SSO in HashiCorp Cloud Platform (HCP) with the Azure Active Directory identity provider. Refer to SSO Overview for details about managing organizations with SSO enabled.

Configure SSO

Organization owners and admins can set up SSO. To begin configuring SSO:

  1. Log in to HCP and go to your organization.
  2. Click Settings and then click SSO. The Single Sign-On page appears.
  3. Click Configure SSO for your Organization. The Setup SAML SSO page appears, where you will enter the required information for Azure Active Directory.
  4. Assign a default organization role.

Verify Your Domain

You need a DNS record (secret value to set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.

To verify your domain:

  1. Copy the verification TXT record from the HCP SSO configuration to the DNS records of any email domains your organization uses.
  2. Return to the HCP Settings page and add your email address domains.
  3. Click Verify domains.

If the verification is successful, you can continue configuring SSO. If the request fails, your changes to the DNS records may not have propagated yet. It can take up to 72 hours.

Initiate SAML Integration

You must add information from the the Initiate SAML Integration section in HCP to the SAML configuration for an Enterprise application in Azure Active Directory.

To add the required integration information in Azure Active Directory:

  1. Log in to your Microsoft Azure portal and go to Azure Active Directory.
  2. Click Enterprise applications under Manage.
  3. Click New application. The Browse Azure AD Gallery page appears.
  4. Click Create your own application and enter a name.
  5. Select Integrate any other application you don't find in the gallery (Non-gallery) and then click Create. Your application overview page appears.
  6. Click Get started inside Set up single sign on.
  7. Select SAML.
  8. Click Edit in Basic SAML Configuration and enter the following information:
    • Identifier: The Entity ID from HCP.
    • Reply URL: The SSO Sign-On URL from HCP.
    • Sign on URL: The SSO Sign-on URL from HCP.
  9. Click Edit in Attributes & Claims and enter the following information:
  10. Click Save.

Finalize SSO Settings

To finish configuring SSO:

  1. Download the SAML Signing Certificate from your Azure Active Directory application in Base64 format.
  2. Open it in a text editor and then copy and paste the contents into the SAML IDP Certificate field in HCP.
  3. Copy the Login URL from your Azure Active Directory application and paste it into the SAML IDP Single Sign-on URL field in HCP.
  4. Assign a default organization role.

Now, users can sign in to your organization through Azure Active Directory.