How To: Setup SSO Configs

Pre-requisites to configure SSO on AD

To configure SSO, customers need:

• An Azure AD user account. If customer don't already have one, they can Create an account for free.
• One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
• Completion of the steps in Quickstart: Create and assign a user account.

Enable single sign-on

To enable SSO for an application:

1. Go to the Azure Active Directory Admin Centre and sign in using one of the roles listed in the prerequisites.
2. In the left menu, select Enterprise applications. The All applications pane opens and displays a list of the applications in your Azure AD tenant.
3. Click on add New Application button and complete the following details.

4. In the Manage section of the left menu, select Single sign-on to open the Single sign-on pane for editing.
5. Select SAML to open the SSO configuration page. After the application is configured, users can sign in to it by using their credentials from the Azure AD tenant.

6. Click on the Edit option In the Basic SAML Configuration section and record the values of the Identifier, Reply URL, and Logout URL.

• Best practice when entering the Identifier is to enter it in the format “api://{{application_id}}“ or “spn:{{aplication_name}}“
• For Reply URL (Assertion Consumer Service URL), enter;

Production

XAP - https://id.xap.rocks/External/Callback

Test

XAP - https://id.qa.kidsxap.com.au/External/Callback

If you intend to configure Single Log Out it is required to add the following URL as a Reply URL as well.

Production

XAP - https://id.xap.rocks/External/LoggedOut

Test

XAP - https://id.qa.kidsxap.com.au/External/LoggedOut

7. Click on Edit button in Attributes & Claims section and obtain the user.mail claim name. This value is required when setting up SSO in Xap.

8. Obtain the App Federation Metadata URL from the SAML Signing Certificate Section. This value is required when setting up SSO in Xap.

9. Obtain the Logout URL from the Set up SSO Test section. This value is optional when setting up SSO in Xap. If not provided, Single Logout function will not be available.

10. Configure Users and Groups for the SSO app.

Configure single sign-on in the Xap/SPM portal

When setting up SSO for a specific organisation it is crucial that the SSO settings that we enter for the organisation from System Admin login is accurate. Following details required when setting up SSO;

• Single Sign-On URL
• WtRealm
• Metadata URL
• ID Claim Type
• Log Out Url (Optional)

Single Sign-On URL

• Must be unique across Xap,
• Must be in lower case.
• Must be easy to remember.

For an example:

WtRealm

• Provided by the customer.
• If SSO is from Azure Directory, following formats are currently known.
• spn:{{application_name}}, for an example spn:XapSSO
• api://{{application_id}}, for an example api://a6c78da4-bf5c-4569-90fa-e0918d1e27cc

• Once the SSO application is created with the steps mentioned above, access the app overview page,

Metadata URL

• App Federation Metadata URL provided by the customer.

ID Claim Type

• Claim name of user.mail attribute provided by the customer.

Logout URL

• Optional, if not provided single logout function will not be available.
• Provided by the customer.

Updated on: 25/03/2026