Security & Compliance
Enterprise SSO

Enterprise SSO

Migrayt supports enterprise Single Sign-On via Microsoft Azure AD (OIDC) and SAML 2.0. When SSO is enabled, your organisation's users log in to Migrayt using their existing corporate credentials — no separate password required.

Microsoft Azure AD (Recommended)

Azure AD SSO works for any organisation using Microsoft 365. It requires no IT setup — users click "Sign in with Microsoft" and authenticate with their corporate email and MFA.

How it works

  1. User clicks Continue with Microsoft on the Migrayt login page
  2. Browser redirects to login.microsoftonline.com for authentication
  3. After successful authentication, the user's Azure AD claims (email, name, tenant) are used to find or create their Migrayt account
  4. The user is logged in to Migrayt

Admin consent

For organisations where IT restricts third-party app consent, an admin needs to pre-approve Migrayt once. Share this URL with your IT administrator:

https://login.microsoftonline.com/common/adminconsent?client_id=77ad40d2-4016-4347-933d-d4a3975f9e55

After admin consent is granted, all users in the tenant can sign in without an approval prompt.

What Microsoft permissions Migrayt requests

PermissionReason
openidAuthenticate the user
emailIdentify the user's email address
profileGet the user's display name

Migrayt does not request access to emails, calendar, files, or any Microsoft 365 data. These permissions are only for login identification.

SAML 2.0

SAML is available for enterprise customers who require centralised IdP management (Okta, Ping Identity, Azure AD with SAML, ADFS, or any SAML 2.0 compliant IdP).

With SAML, your IT team configures Migrayt as a Service Provider in your IdP. Users are provisioned and deprovisioned centrally — when an employee leaves, revoking their IdP access automatically revokes Migrayt access.

Setup process

  1. Contact support@migrayt.ai to request SAML enablement for your organisation
  2. Provide your IdP's metadata XML URL or XML document
  3. Migrayt support configures Cognito to trust your IdP
  4. Your IT admin adds Migrayt as a Service Provider using the SP metadata: 
    SP Entity ID:  https://migrayt-auth.auth.eu-west-1.amazoncognito.com/saml2/idpresponse
ACS URL:       https://migrayt-auth.auth.eu-west-1.amazoncognito.com/saml2/idpresponse
  5. Test with a single user account before rolling out to the organisation

Required SAML attributes

SAML AttributeDescription
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUser's email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUser's display name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierUnique user ID

Azure AD SAML configuration

In Azure portal → Enterprise Applications → Add application → Create your own:

  1. Set Identifier (Entity ID) to the SP Entity ID above
  2. Set Reply URL (ACS URL) to the ACS URL above
  3. Under Attributes & Claims, ensure the three required attributes are mapped
  4. Download the Federation Metadata XML and send it to support@migrayt.ai

Account Provisioning

ScenarioBehaviour
First SSO login (new user)Migrayt account created automatically; role set to member
First SSO login (email matches existing account)Existing account linked to the SSO identity
User deprovisioned in IdPNext login attempt fails; existing Migrayt data preserved
User's email changes in IdPOld and new emails treated as separate accounts; contact support to merge

Mixed Authentication

Organisations can use both SSO and email/password authentication simultaneously. Some users may log in via Microsoft while others use email/password. Access controls are applied based on role, not authentication method.

Data HandlingFAQ