SSO Instructions

Microsoft Entra

Log into Microsoft Entra Admin Center, navigate to Enterprise applications, and select to create a new application.

Select create your own application at the top (or use an already created application if applicable)

Name your application and select Integrate any other application you don't find in the gallery (Non-gallery) and then click Create.

Once your application is created, navigate to the Single Sign-On setup page and select SAML.

Click Edit on Basic SAML Configuration and add the following values from the SSO Connection you created in Stytch:

• Identifier (Entity ID): the Audience URI will be supplied by Watchtower
• Reply URL (Assertion Consumer Service URL): the ACS URL will be supplied by Watchtower

Leave the other values blank and click Save.

Next, edit the Attributes & Claims section. Click on the Unique User Identifier (Name ID) under Required Claim, and change the Source attribute to use user.primaryauthoritativeemail

Under Additional claims, you edit and delete the default options so you are left with two claims: user.givenname as firstName and user.surname as lastName. Save.

Share the Metadata URL with Watchtower to finalize configuration.

The last step is to add users to your application in Entra, which you can do by navigating to Users and Groups and selecting "Add user/group".

Updated on: 14/01/2026