Microsoft Entra SAML SSO | ElevenLabs Documentation

Microsoft Entra SAML SSO lets workspace members sign in to ElevenLabs through a Microsoft Entra ID (formerly Azure AD) enterprise application.

SSO is available for Enterprise workspaces. Only Workspace admins can configure SSO settings.

ElevenLabs supports Service Provider (SP) initiated SAML SSO. To start sign-in, use https://elevenlabs.io/app/sign-in?use_sso=true. You can add email=user@example.com as a query parameter to prefill the email field.

Microsoft Entra is only supported through SAML. OIDC with Microsoft Entra is not recommended and can cause sign-in issues.

Prerequisites

An Enterprise ElevenLabs workspace.
Workspace admin access in ElevenLabs.
Admin access in the Microsoft Entra admin center.
A verified email domain in ElevenLabs for the users who will sign in through Microsoft Entra.

Set up Microsoft Entra SAML SSO

Open SSO settings in ElevenLabs

Go to Workspace settings > Security & SSO.

Verify your email domain

Under User Auto Provisioning, verify the email domain your Microsoft Entra users will sign in with. Enter the domain (subdomains are allowed), then follow the prompts to confirm ownership. Optionally enable auto-provisioning so users with a matching email domain automatically join your workspace.

ElevenLabs bulk domain verification dialog

Select SAML as the SSO provider

In SSO Provider, select SAML. Copy the Service Provider Entity Id and Redirect URL values. You will use these values in Microsoft Entra.

Create a Microsoft Entra enterprise application

In the Microsoft Entra admin center, open your directory Overview, then click Add > Enterprise application.

Microsoft Entra Overview Add menu with Enterprise application selected

On Browse Microsoft Entra App Gallery, click Create your own application.

Microsoft Entra App Gallery with Create your own application

Name the application

Enter a name (for example, ElevenLabs), select Integrate any other application you don’t find in the gallery (Non-gallery), then click Create.

Microsoft Entra Create your own application panel with a non-gallery app

Start single sign-on setup

On the application Overview, under Getting Started, select Set up single sign on > Get started.

Microsoft Entra enterprise application Getting Started with Set up single sign on

Select SAML as the single sign-on method.

Microsoft Entra Select a single sign-on method with SAML

Configure basic SAML settings

In Basic SAML Configuration, configure the app with the values from ElevenLabs:

Set Identifier (Entity ID) to the ElevenLabs Service Provider Entity Id.
Set Reply URL (Assertion Consumer Service URL) to the ElevenLabs Redirect URL.
Leave Sign on URL blank. ElevenLabs uses SP-initiated SSO.

Click Save.

Microsoft Entra Basic SAML Configuration with Identifier and Reply URL

For data residency environments, use https://<region>.residency.elevenlabs.io/__/auth/handler as the Reply URL, replacing <region> with your region code.

Configure the Name ID claim

In Attributes & Claims, edit the Unique User Identifier (Name ID) claim:

Set Name identifier format to Email address.
Set Source to Attribute.
Set Source attribute to the field that contains the email address for all users. This is usually user.mail, but may be user.userprincipalname.

Click Save.

Choose the attribute that holds an email address for every user. If user.mail is not populated for all of your users, use user.userprincipalname instead.

Microsoft Entra Manage claim with Email address format and user.mail source attribute

Download the signing certificate

In SAML Certificates, next to Certificate (Base64), click Download. Open the downloaded file in a text editor.

Microsoft Entra SAML Certificates with Certificate Base64 download

Assign users or groups

Open the app’s Users and groups, then assign the users or groups that should be able to sign in to ElevenLabs.

Microsoft Entra Add Assignment users list

Add the Entra certificate to ElevenLabs

In ElevenLabs, click Add Certificate. Paste the full PEM certificate from the Base64 file, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, then click Add.

Copy Entra identity provider values into ElevenLabs

In the Microsoft Entra Set up section, copy the identity provider values into ElevenLabs:

Use the Microsoft Entra Identifier for Identity Provider Entity Id.
Use the Login URL for Identity Provider Sign-In URL.

Microsoft Entra set up values showing Login URL and Microsoft Entra Identifier

Add your allowed email domain

In ElevenLabs, click Add Domain and select the verified domain that matches the email domain of your Microsoft Entra users.

ElevenLabs Add allowed email domains dialog

Save the SSO provider

Review the configuration, select I acknowledge this change will log out users currently using SSO, then click Update SSO.

Field mappings

Use this table to map Microsoft Entra SAML settings to ElevenLabs SSO fields.

Microsoft Entra field or location	ElevenLabs field	Value to use
Sign-in method	SSO Provider	`SAML`
Identifier (Entity ID)	Service Provider Entity Id	Use the ElevenLabs value, for example `https://elevenlabs.io`
Reply URL (Assertion Consumer Service URL)	Redirect URL	Use the ElevenLabs value, for example `https://elevenlabs.io/__/auth/handler`
Microsoft Entra Identifier	Identity Provider Entity Id	Entra issuer, for example `https://sts.windows.net/{tenant-id}/`
Login URL	Identity Provider Sign-In URL	Entra SAML sign-in URL, for example `https://login.microsoftonline.com/{tenant-id}/saml2`
Certificate (Base64)	Certificate	Entra token signing certificate in valid PEM format
Name ID format	No manual config required	Set to Email address
Name ID source attribute	No manual config required	Field containing the user’s email, usually `user.mail` (or `user.userprincipalname`)
User or app email domain in Microsoft Entra	Domain	Must match a verified ElevenLabs domain, for example `company.com`

Troubleshooting

Microsoft Entra shows a successful sign-in, but ElevenLabs says unable to sign in

Check the browser Network response for accounts:signInWithIdp. Microsoft Entra sign-in logs only confirm that Entra authenticated the user. ElevenLabs can still reject the SAML response if the assertion values do not match the SSO configuration.

INVALID_IDP_RESPONSE: Error when parsing certificate

The browser Network response may show INVALID_IDP_RESPONSE: Error when parsing certificate. Remove the certificate from ElevenLabs, then re-add the Entra Certificate (Base64) in valid PEM format. Do not use an LLM to format the certificate. Open the Base64 certificate in a text editor and copy it exactly, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Unable to login with saml.workspace... or user mismatch errors

Make sure Microsoft Entra sends the user’s email address as the NameID. In Attributes & Claims, set the Unique User Identifier (Name ID) claim Name identifier format to Email address and Source attribute to the field that contains the email address for all users (usually user.mail, or user.userprincipalname if user.mail is not populated). Inside the <saml:Subject> field of the SAML response, <saml:NameID> must be the user’s email address.

Which Microsoft Entra values should I use?

Use the Microsoft Entra Identifier for Identity Provider Entity Id, the Login URL for Identity Provider Sign-In URL, and the Certificate (Base64) for Certificate.