Configuring Mautic Single Sign-On with SAML with Azure AD as the Identity Provider

Your software
My Mautic version is: v4.4.5
My PHP version is: 7.4.33
My Database type and version is: 10.2.32-MariaDB-log

Your problem
My problem is:
Currently setting up Mautic’s Single Sign-On with SAML with Azure AD as the Identity provider.
I have provided the required SAML SSO settings on the Mautic portal as well as the required setting on the side of Azure Enterprise Application Single Sign on setting.

So upon accessing the Mautic’s URL, i get redirected to the Microsoft login then i was able to login using my Azure AD credentials. After that I get redirected back to the Mautic Login portal with this error prompt
image

These errors are showing in the log:
Invalid inbound message destination “https://your-mautic.com/s/saml/login_check

Steps I have tried to fix the problem:
I tried different values for the Assertion consumer service setting on the Azure side.
As per Mautic documentation (Authentication | Mautic), the value of the Assertion consumer service should be https://your-mautic.com/s/saml/login_check.
However, the path provided cant be found upon direct access.

1 Like

Were you able get this working yet? I’m also struggling in a similar way currently and the documentation is quite sparse on how to do this.

Is anyone able to figure this out? Now AzureAD is named Entra, but it’s still the same issue.

I chased this same issue for two days now, and have found a workaround if you are using Cloudflare or a reverse proxy in front of Mautic. The flow only breaks if Mautic initiates the SAML flow. If you start the login flow from the IdP, then it logs in fine. I set up a redirect in my reverse proxy (Traefik in my case) to intercept any requests to https://myweburl.com/saml/discovery and 302 redirect them to the login URL provided by my IdP (Entra), similar to this:

h ttps://launcher.myapps.microsoft.com/api/signin/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx?tenantId=yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy

This drops the SAML flow initiated by Mautic when navigating to the root URL, and starts a new one initiated by the IdP.