Skip to main content

Overview

This guide walks you through configuring SAML single sign-on with Microsoft Entra ID. You’ll create an Enterprise application in Entra ID, configure SAML settings, and establish a secure connection between your identity provider and Langdock. Once complete, your users will be able to sign in to Langdock using their Entra ID credentials.

Setup Checklist

Verify that you have completed these steps from the setup checklist:
  • You have access to an admin account in your Langdock workspace
  • “Join by domain” is enabled in your Langdock security settings
  • Your domain is added and verified in your Langdock security settings
  • You have an Entra ID account with the ability to create and manage Enterprise applications

Create a new Enterprise application in Entra ID

Next, you need to create a new Enterprise application in your Entra ID portal. To do this, follow these steps:
  1. In your Entra ID portal navigate to the Overview page and add a new Enterprise application under ”+ Add”“Enterprise application”
  2. Create a new custom application by clicking on ”+ Create your own application”
  3. Name your application (e.g., “Langdock”)
  4. Select the option “Integrate any other application you don’t find in the gallery (Non-gallery)“
Navigate to "Enterprise Application" Click on "Create your own application" then give the application the name Langdock and click on "Integrate any other application..."

SAML Configuration

Langdock uses SAML 2.0 as the standard for SSO authentication. After creating the application, you need to configure the SAML settings, which will allow Langdock to authenticate users via SAML. First, navigate to the “Single sign-on” settings of your newly created application, by selecting “Set up single sign on” and choosing “SAML” as the single sign-on method. Select "2. Set up single sign on" Select SAML as Signle Sign on method Next, you need to get the SAML metadata from Langdock, which you can find in your Security settings. Here, you need to copy two values from the SAML metadata:
  1. The “Audience URI (SP Entity ID)” value(langdock.com)
  2. The “Assertion Consumer Service (ACS) URL” value
Add the Audience URI and the ACS URL in Langdock Now, you can configure the SAML settings in your Entra ID portal, by first clicking “Edit” in the “Basic SAML Configuration” section, and then filling in the following values:
  1. “Identifier (Entity ID)”: The “Audience URI (SP Entity ID)” value from Langdock
  2. “Reply URL (Assertion Consumer Service URL)”: The “Assertion Consumer Service (ACS) URL” value from Langdock
You can leave the other fields empty or with their default values. Finally, save the configuration by clicking “Save”. Click on "Edit" in the Signle Sign-on Settings in Entra Add the Entity ID, Reply UL and click on "Save" You also need to modify the default SAML Certificate configuration, by clicking “Edit” in the “SAML Certificates”“Token signing certificate” section and:
  1. Setting the “Signing Option” to “Sign SAML response and assertion”
  2. Setting the “Signing Algorithm” to “SHA-256”
Finally, save the SAML Certificate configuration by clicking “Save”. Click on "Edit" Add the signing option "Sign SAML response and assertion" and Signing Algorithm "SHA-256" To finalize the SAML setup, you need to copy the Login URL and the SAML Signing certificate from Entra ID to Langdock.
  1. In the “SAML Signing Certificate” section of your Entra ID portal, click on “Download” next to “Certificate (Base64)” link to download the certificate. You have to open the certificate in a text editor and copy the content. This will be in the format of:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
  1. Copy the “Login URL” value from the “Set up Langdock” section in your Entra ID portal.
Download the Certificate and copy the Login URL In your Langdock workspace, navigate to the Security settings again and paste the copied values into the respective fields:
  1. Fill in the “Issuer” field with the Audience URI specified earlier (langdock.com).
  2. Paste the “Login URL” value from Entra ID into the “Sign on URL” field
  3. Paste the SAML Signing certificate content into the “Certificate” field
Finally, to test your SAML setup, you need to activate it by enabling the**“SAML Active” ** toggle. Base the Certificate, Sign on URL and Issuer into langdock

Test the SAML setup

To test the setup, please stay logged in in the current browser session and open seperate browser or an incognito window and navigate to https://app.langdock.com.
Enter an email address of a user in your Entra ID account and click “Continue”. You will be redirected to the Entra ID login page, where you can enter your credentials. After successful authentication, you will be redirected back to Langdock and logged in. Login with the company email Enter MS Password to login to Langdock

Multiple Workspaces with the Same Entra ID Tenant

If you want to connect multiple Langdock workspaces to the same Entra ID tenant, this is possible but requires manual configuration by the Langdock team.
For each additional workspace, you need to:
  1. Ask the Langdock Team at [email protected]om to create a new Workspace and provide you with the Assertion Consumer Service (ACS) URL.
  2. Create a separate Enterprise application in Entra ID for each workspace you want to connect (following the same steps as above)
  3. Use a unique Identifier (Entity ID) for each app registration. Instead of using langdock.com, use a unique identifier like yourcompany.langdock.com or workspace-name.langdock.com
  4. Enter the Assertion Consumer Service (ACS) URL provided by the Langdock Team.
  5. Contact Langdock support at [email protected] and provide the following information for each additional workspace:
    • The Issuer (your unique Entity ID)
    • The Login URL (Sign-on URL)
    • The Certificate (Base64)
    • All E-Mail domains of users that should be able to join the workspace. More details on that here.
You cannot configure multiple SAML workspaces yourself. The Langdock team needs to manually configure the additional workspaces in the backend. We only offer this for our enterprise clients. Also, note that we can not migrate users / chats / assistants to other workspaces.

Workspace Switching Behavior

When users have access to multiple SAML-enabled workspaces with the same domain:
  • After entering their email address during login, users will see a workspace picker to choose which workspace to access
  • The regular “switch workspace” button is not available for SAML users
  • To switch between workspaces, users need to log out and log in again, then select the desired workspace from the picker

Troubleshooting

If you encounter any issues during the setup, reach out to [email protected] for assistance.