Step by step guide to configure Microsoft Entra ID (formerly known as Azure AD) as a SAML Identity Provider within Visma

Follow the steps below to configure Entra as a SAML Identity Provider within Visma. Keep Authentication Settings open in your browser while you access Entra in a new window or tab. You will need to return to the Single Sign-On page to complete the configuration steps.

Prerequisites

• Microsoft account with Entra Premium activated

• Global Admin or Co-admin account in Entra

• All of your users under your account in Visma will need a pre-existing account in Azure Active Directory with exactly the same email address.

Configure Visma Single Sign-On app in Entra

1. On the "Single Sign-On" page go to 1. Upload the Visma file into Azure AD section. Click on Download to download the Visma SAML metadata file. This is the Visma Single Sign-On metadata information you will need to provide to your Entra in order to configure Visma as a service provider.

   

2. Log into your Microsoft Entra administrative portal.

3. Click on the hamburger menu icon in the upper left-hand side of the page. Click  All services.

4. Use the  Filter field to search for and select  Azure Active Directory.

   

5. From the  Azure Active Directory, click  Enterprise applications.

6. Click  + New application at the top of the screen.

   

7. On the  Browse Entra Gallery page, type  Visma in the Name field.

8. Select the  Visma app and click  Create at the very bottom of the page.

   

9. On the application  Overview page, below  Getting Started, click  Assign users and groups.

   

10. Click  + Add users and select the users and groups that should have access to log in with Entra to Visma. Once the users and groups are selected, click  Assign at the bottom of the page.

11. On the left navigation click  Single sign-on. Select  SAML on the "Select a single sign-on method" page.

    

12. On the  Basic SAML Configuration heading select  Upload metadata file. Upload the XML file that you have downloaded from Authentication Settings Entra setup page, at step 1.

    

13. After you have successfully uploaded the XML file, all the fields within  Basic SAML Configuration section will be populated. Click  Save and close the "Basic SAML Configuration" editor.

    

14. Go to the  User Attributes & Claims heading and select the  Edit icon. Ensure that the values are exactly as below.
    When a user authenticates to the application, Entra issues the application a SAML token with information (claims) about the user that uniquely identifies them. By default, this information includes the user's username, email address, first name and last name.

    

15. Once all five claims have been added, click the  X icon at the top right-hand side to close the view.

Configure Visma Single Sign-On to use Entra

1. In the  SAML Signing Certificate section, ensure that the certificate status is  Active (it is valid for 3 years after it was added), if not, add a new certificate clicking on the edit (pencil) button. Enter a notification email for the certificate expiry reminders and click Save.

2. Click the  App Federation Metadata Url copy button.
   Your Metadata XML link address should look like: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxxxxxxxxxxxxxxxxxxxxx

   

3. Paste this Metadata XML link address into the Single Sign-On page within Authentication Settings. It contains all your Entra endpoints and public certificate that Visma needs in order to complete the setup.

   

4. Click  Save.

5. After you've successfully saved your Entra integration, you will see your setup details on the Single Sign-On page, below MyDomain.

   

6. Depending on your provider, the certificate can expire. In that case, we show an error message on the Entra setup.

   

7. Go to  Entra and create or upload a new and valid certificate.

   

8. Come back to Authentication Settings and click the  Edit icon or the  Entra link. Then click  Refresh certificate button and then click  Save.

   

Testing Single Sign-On after Visma has made its configuration

To make sure SSO is working, perform these steps:

1. Log out and close the Azure management portal and the Entra access panel.

2. In a new browser session, navigate directly to the access panel at https://myapps.microsoft.com.

3. Enter your Entra credentials to log in. After authentication, you will be able to interact with the applications integrated with active directory.

4. Click on the Visma application you have have created to be redirected and logged into Visma.

   

5. Another way to test SSO access is to go to your Visma MyDomain, e.g. https://example.my.connect.visma.com directly, and then click the Entra button.

   

6. Once you have verified that both ways are working, you may want to tell Visma to disable the Visma credentials so your users can only sign in with their Entra credentials.

Enable multifactor authentication in Entra ID

Some Visma applications might require your Entra ID users to authenticate with multifactor authentication (two-step authentication). Check Entra ID documentation for how to:

• Enable for single users: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

• Enable for multiple users: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa