Set Up SSO with Azure AD

Supabase supports single sign-on (SSO) using Microsoft Azure AD.

Step 1: Add and register an Enterprise application

Open up the Azure Active Directory dashboard for your Azure account.

Click the Add button then Enterprise application.

Azure AD console: Default Directory Overview

Step 2: Choose Create your own application

You'll be using the custom enterprise application setup for Supabase.

Azure AD console: Browse Azure AD Gallery, select: Create your own application

Step 3: Fill in application details

In the modal titled Create your own application, enter a display name for Supabase. This is the name your Azure AD users see when signing in to Supabase from Azure. Supabase works in most cases.

Make sure to choose the third option: Integrate any other application you don't find in the gallery (Non-gallery).

Azure AD console: Create your own application modal

Step 4: Choose the Set up single sign-on option

Before you get to assigning users and groups, which would allow accounts in Azure AD to access Supabase, you need to configure the SAML details that allows Supabase to accept sign in requests from Azure AD.

Azure AD console: Supabase custom enterprise application, selected Set up single sign-on

Step 5: Select SAML single sign-on method

Supabase only supports the SAML 2.0 protocol for Single Sign-On, which is an industry standard.

Azure AD console: Supabase application, Single sign-on configuration screen, selected SAML

Step 6: Upload SAML-based sign-on metadata file

First you need to download Supabase's SAML metadata file. Click the button below to initiate a download of the file.

Alternatively, visit this page to initiate a download:

Click on the Upload metadata file option in the toolbar and select the file you just downloaded.

Azure AD console: Supabase application, SAML-based Sign-on screen, selected Upload metadata file button

All of the correct information should automatically populate the Basic SAML Configuration screen as shown.

Azure AD console: Supabase application, SAML-based Sign-on screen, Basic SAML Configuration shown

Make sure you input these additional settings.

Sign on URL
Relay State

Finally, click the Save button to save the configuration.

Step 7: Obtain metadata URL and send to Supabase

Supabase needs to finalize enabling single sign-on with your Azure AD application. To do this, copy and send the link under App Federation Metadata Url in *section 3 SAML Certificates* to your support contact and await further instructions. If you're not clear who to send this link to or need further assistance, reach out to [email protected].

Do not test the login until you have heard back from the support contact.

Azure AD console: Supabase application, SAML Certificates card shown, App Federation Metadata Url highlighted

Step 8: Wait for confirmation

Wait for confirmation or further instructions from your support contact at Supabase before proceeding to the next step. It usually takes us 1 business day to configure SSO for you.

Step 9: Test single sign-on

Testing sign-on before your Azure AD has been registered with Supabase will not work. Make sure you've received confirmation from your support contact at Supabase as laid out in the confirmation step.

Once you’ve received confirmation from your support contact at Supabase that SSO setup has been completed for your enterprise, you can ask some of your users to sign in via their Azure AD account.

You ask them to enter their email address on the Sign in with SSO page.

If sign in is not working correctly, reach out to your support contact at Supabase for further guidance.