Overview
Jiminny supports SAML 2.0 Single Sign-On (SSO) through Microsoft Entra ID (formerly Azure Active Directory). Once enabled, your users can sign in to Jiminny using their existing Microsoft credentials without needing a separate Jiminny password.
SSO uses the same Jiminny service principal that is created when you grant consent for the Office 365 integration. You do not need to create a new Enterprise Application in Entra ID.
Prerequisites
Before SSO can be enabled, the following must be in place:
Office 365 consent has been granted. An administrator must have completed the consent flow in the Grant Consent for Office 365 Integration article. This creates the Jiminny service principal in your Microsoft Entra ID tenant and provides Jiminny with your Tenant ID.
Active Jiminny subscription. Your Jiminny account must be provisioned and ready to use.
Important: If you have not yet granted consent, SSO cannot be configured. The consent step is required because it creates the service principal and provides Jiminny with the Tenant ID needed to generate your SAML configuration. Follow the Grant Consent guide first.
How It Works
Jiminny is registered as a multi-tenant application in Microsoft Entra ID. When you grant consent for the Office 365 integration, a service principal is created in your tenant. Jiminny uses this existing service principal to configure SAML-based SSO, so there is no need to register or create a separate Enterprise Application.
Why Zero Configuration Is Required
Microsoft Entra ID publishes a well-known federation metadata document for every tenant at a standard, publicly accessible URL. This is a built-in feature of the Microsoft identity platform that enables automatic SAML configuration discovery.
The federation metadata document contains everything needed to establish a SAML trust relationship: the IdP Entity ID, SAML sign-in and sign-out endpoints, and the x509 signing certificate. Because this document follows a predictable URL pattern based on the Tenant ID, Jiminny can automatically retrieve and configure all SAML settings without any manual input from your side.
This means that once consent is granted, Jiminny automatically has:
IdP Entity ID - your tenant's identity provider identifier (
https://sts.windows.net/{your-tenant-id}/)Login URL - the Microsoft Entra ID SAML sign-in endpoint for your tenant
Logout URL - the Microsoft Entra ID SAML sign-out endpoint for your tenant
x509 Signing Certificate - extracted from your tenant's federation metadata
You do not need to provide metadata URLs, XML files, or certificates. The entire SAML configuration is derived automatically from your Tenant ID.
Setup Steps
Step 1: Grant consent for the Office 365 integration
If you haven't already, complete the consent flow to create the Jiminny service principal in your tenant. This also provides Jiminny with your Tenant ID.
Step 2: Request SSO activation from Jiminny
Contact your Customer Success Manager (CSM) and request that SAML SSO be enabled for your Jiminny instance. Jiminny will configure the SAML 2.0 connection using the Tenant ID obtained during consent.
There is nothing you need to configure in the Microsoft Entra admin center. Jiminny handles the full SAML setup.
Step 3: SSO is live
Once Jiminny confirms that SSO has been enabled, your users will see a "Sign in with Microsoft" option on the Jiminny login page. They can authenticate using their Microsoft Entra ID credentials.
Technical Details
SAML Configuration
Setting | Value |
SAML Version | 2.0 |
NameID Format |
|
Signed Authentication Requests | Not required |
Service Principal | Existing Jiminny enterprise app (Client ID: |
IdP Metadata | Auto-discovered via well-known federation metadata endpoint |
NameID and SCIM
Jiminny uses emailAddress as the NameID Format, which maps to the user's UPN (User Principal Name) in Microsoft Entra ID. If your organization has configured SCIM provisioning to push a different identifier, please let your CSM know during SSO setup so Jiminny can adjust the mapping accordingly.
Troubleshooting
If SSO is not working after Jiminny has confirmed activation, check the following common causes in the Microsoft Entra admin center.
"The signed-in user is not assigned to a role for the application" (AADSTS50105)
Cause: The Jiminny service principal has "Assignment required?" set to Yes, but the user has not been assigned.
Fix: Either assign the user (or a group they belong to) under Enterprise applications > Jiminny > Users and groups, or set "Assignment required?" to No under Properties if you want all tenant users to have access. See the Grant Consent article (Option 1, Step 3) for detailed instructions.
"Access has been blocked by Conditional Access policies" (AADSTS53003)
Cause: A Conditional Access policy in your tenant is blocking sign-in to the Jiminny application. This could be due to requirements for compliant devices, specific network locations, MFA, or other conditions.
Fix: In the Entra admin center, go to Protection > Sign-in logs, find the failed sign-in, and check the Conditional Access tab to see which policy blocked access. You may need to create an exclusion for the Jiminny application or ensure users meet the policy requirements.
Application is disabled for sign-in
Cause: The Jiminny enterprise application has "Enabled for users to sign-in?" set to No. This is a global on/off switch for the application.
Fix: In the Entra admin center, go to Identity > Applications > Enterprise applications > Jiminny > Properties and set "Enabled for users to sign-in?" to Yes.
Consent has not been granted
Cause: The Jiminny service principal does not exist in your tenant because the consent flow was never completed. Without a service principal, SAML authentication has nothing to authenticate against.
Fix: Complete the consent flow first: Grant Consent for Office 365 Integration with Jiminny.
SSO suddenly stopped working with no changes on the Tenant side
Cause: Microsoft Entra ID periodically rotates the signing keys used to sign SAML tokens. This is a standard security practice and happens on an unpublished schedule. When a key rollover occurs, the certificate used to verify SAML responses may need to be updated on Jiminny's side.
Fix: Contact Jiminny support or your CSM. Jiminny will update the signing certificate from your tenant's federation metadata and restore SSO. No action is required from you in the Entra admin center.
General steps
If none of the above apply, try these steps:
Clear your browser cache and cookies, then try again
Try signing in from a private/incognito window
Check the Sign-in logs in the Entra admin center for the specific error code
Contact Jiminny support with the error details
For additional troubleshooting, see Troubleshooting Office 365 Login and Consent Issues.
Frequently Asked Questions
Do I need to create a new Enterprise Application in Entra ID? No. Jiminny SSO uses the same service principal that is created when you grant consent for the Office 365 integration. There is no need to register a separate application.
Do I need to provide my Tenant ID manually? No. Jiminny automatically receives your Tenant ID when you complete the consent flow. You do not need to look it up or share it separately.
Do I need to configure anything in the Entra admin center for SSO? No. Jiminny derives the IdP Entity ID, Login URL, Logout URL, and x509 certificate from your Tenant ID automatically via the well-known federation metadata endpoint. There is no configuration required on your side.
How does Jiminny get my SAML configuration without me providing it? Microsoft Entra ID publishes a well-known federation metadata document for every tenant at a standard URL. This document contains the IdP Entity ID, SAML endpoints, and signing certificates. Because the URL follows a predictable pattern based on the Tenant ID, Jiminny can retrieve all SAML settings automatically.
Can I restrict which users can sign in via SSO? Yes. If you enable user assignment on the Jiminny service principal in the Entra admin center, only assigned users and groups will be able to sign in. See the Grant Consent article (Option 1, Step 3) for instructions.