Microsoft Entra SSO for Ziflow via MyApps (IdP-Initiated)

Use this setup only when users will sign in to Ziflow from https://myapps.microsoft.com.

Supported MyApps configuration

Ziflow supports IdP-initiated SSO from MyApps when configured as follows.

1. Create a non-marketplace app

• In Microsoft Entra, create a new non-gallery application

• Do not use the Ziflow marketplace app

2. Configure SAML in Entra

Go to Single sign-on → SAML and set:

• Identifier (Entity ID)

  urn:auth0:ziflow-production:<UNIQUE_ID>
  

• Reply URL (ACS URL)

  https://ziflow-production.auth0.com/login/callback
  

• Sign-on URL

  • Leave this field empty

Setting a Sign-on URL will cause MyApps SSO to fail.

3. Complete SSO setup in Ziflow

In Ziflow → Account settings → Single Sign-On:

• Type: SAML 2.0

• Sign-In URL: Microsoft Login URL from Entra

• X.509 Certificate: Entra Base64 certificate

• Sign-Out URL: Microsoft Logout URL

• Activate SSO

4. Assign users and test

• Assign users or groups to the app in Entra

• Users must launch Ziflow from https://myapps.microsoft.com

Common issue

If MyApps login fails with errors such as:

• “Required request parameter code is not present”

• “InResponseTo does not match”

• “Connection is not enabled”

Check that Sign-on URL is not set in Entra.

Summary

For Ziflow SSO via MyApps:

• Use a non-marketplace Entra app

• Configure Entity ID + Reply URL only

• Do not set a Sign-on URL

• Launch exclusively from MyApps