Frequently asked questions

Can’t find an answer? Check out the forum
Single Sign-On
  1. FAQ
  2. Single Sign-On

Single Sign-On

This guide will help you configure SAML Single Sign-On (SSO) between your Mixup organization and Microsoft Entra ID, allowing your organization members to authenticate using your Microsoft identity provider.

Overview

The SAML configuration process involves two main phases:

  1. Setting up Microsoft Entra ID - Creating an Enterprise Application in Microsoft Entra ID and configuring it with Mixup's URLs
  2. Setting up Mixup - Entering Microsoft Entra ID's SSO details into Mixup

You'll need to switch between Mixup and Microsoft Entra ID during this process to copy information from one platform to the other.

Step 1: Access Mixup SAML Configuration

  1. Log in to your Mixup account as an organization administrator.
  2. Navigate to your organization settings:
    • Click on your organization name in the sidebar
    • Select Organization Settings
    • Click on SAML SSO in the settings menu

  3. You'll see the SAML configuration page with three important URLs under Service Provider Information:

    • Login URL: This is the URL where SAML authentication is initiated
    • Callback URL (ACS URL): This is where Microsoft Entra ID will send the SAML response after authentication
    • Logout URL (SLS URL): This is the URL where SAML logout requests are sent

    Each URL has a copy button next to it for easy copying.

  4. Keep this page open - you'll need to copy these URLs into Microsoft Entra ID in the next steps.

Screenshot placeholder: Mixup SAML configuration page showing Service Provider Information section with Login URL, Callback URL and Logout URL

  • Login URL: https://mixup.media/saml/your-org-hash/login
  • Callback URL: https://mixup.media/saml/your-org-hash/acs
  • Logout URL: https://mixup.media/saml/your-org-hash/sls

Step 2: Create an Enterprise Application in Microsoft Entra ID

  1. Log in to the Microsoft Entra admin center at https://entra.microsoft.com
  2. Navigate to Microsoft Entra ID
  3. In the left sidebar, click on Enterprise applications

Screenshot placeholder: Microsoft Entra ID dashboard showing the Enterprise applications menu item

  1. Click + New application at the top of the page

  2. On the "Browse Microsoft Entra Gallery" page, click + Create your own application

  3. In the "Create your own application" panel that appears:
    • Name: Enter Mixup (or your preferred name)
    • What are you looking to do with your application?: Select Integrate any other application you don't find in the gallery (Non-gallery)
    • Click Create
  1. Wait a few moments while Microsoft Entra ID creates the application. You'll be redirected to the application's overview page.

Step 3: Configure SAML Settings in Microsoft Entra ID

Now you'll configure Microsoft Entra ID to communicate with Mixup using the URLs you saw in Step 1.

Set up Single Sign-On

  1. On your Mixup application page in Microsoft Entra ID, click on Single sign-on in the left sidebar (under "Manage")
  2. Select SAML as the single sign-on method

Configure Basic SAML Configuration

  1. You'll see the SAML-based Sign-on page. Click Edit on the Basic SAML Configuration section (section 1)

  2. Fill in the following fields:
    • Identifier (Entity ID):
      • Click Add identifier
      • Paste https://mixup.media
    • Reply URL (Assertion Consumer Service URL):
      • Click Add reply URL
      • Paste the Callback URL from Mixup (the one ending in /acs)
      • Example: https://mixup.media/saml/your-org-hash/acs
    • Sign on URL (Optional):
      • Paste the Login URL from Mixup
      • Example: https://mixup.media/saml/your-org-hash/login
    • Logout URL (Optional):
      • Paste: https://mixup.media/saml/your-org-hash/sls (replace your-org-hash with your organization's hash)
      • This enables IdP-initiated logout (when users log out from Microsoft, they'll also be logged out from Mixup)

      • If left blank, only SP-initiated logout will work (logging out from Mixup)

  3. Click Save at the top of the panel, then close the panel by clicking the X

Configure User Attributes & Claims

  1. Scroll down to section 2: Attributes & Claims. Click Edit
  2. You should see a default claim for Unique User Identifier (Name ID). Click on it to edit:
    • Name identifier format: Select Email address
    • Source attribute: Select user.mail
    • Click Save

  3. Ensure the following claims are present (add them if they're missing):

    Claim nameValue
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuser.mail
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameuser.givenname
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameuser.surname

    To add a claim:

    • Click + Add new claim
    • Enter the claim name (e.g., http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
    • Select Source: Attribute
    • Select Source attribute: (e.g., user.mail)
    • Click Save
  4. Click Save if you made changes, then close the panel

Step 4: Retrieve Configuration Information from Microsoft Entra ID

After configuring the SAML settings, you need to gather information from Microsoft Entra ID to configure in Mixup.

Copy Required Information

On the SAML-based Sign-on page, copy the following information:

From section 4: "Set up Mixup"

  • Login URL (Required) - Example: https://login.microsoftonline.com/your-tenant-id/saml2
  • Azure AD Identifier (Optional) - Example: https://sts.windows.net/your-tenant-id/
  • Logout URL (Optional) - Example: https://login.microsoftonline.com/your-tenant-id/saml2

From section 3: "SAML Certificates"

  • App Federation Metadata Url (Optional) - Example: https://login.microsoftonline.com/your-tenant-id/federationmetadata/2007-06/federationmetadata.xml?appid=your-app-id
  • Certificate (Base64) (Required):
    1. Click Download next to Certificate (Base64)
    2. Open the downloaded .cer file with a text editor
    3. Copy the entire content, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines

Step 5: Configure Mixup with Microsoft Entra ID Details

Now return to Mixup to complete the configuration.

  1. Go back to the Mixup SAML configuration page (from Step 1)
  2. If not already enabled, toggle Enable SAML SSO to ON
  3. Select Microsoft Entra ID as your identity provider from the tabs
  4. Fill in the Identity Provider Configuration fields with the information you copied from Microsoft Entra ID:
    • Single Sign-On URL: Paste the Login URL from Microsoft Entra ID (Required)
    • Single Logout URL: Paste the Logout URL from Microsoft Entra ID (Optional - enables automatic logout from Microsoft when logging out of Mixup)
    • Metadata URL: Paste the App Federation Metadata URL from Microsoft Entra ID (Optional)
    • Entity ID: Paste the Azure AD Identifier from Microsoft Entra ID (Optional)
    • Certificate: Paste the Certificate (Base64) content from Microsoft Entra ID (Required - must include BEGIN/END lines)
  5. Review all entered information to ensure accuracy
  6. Click Save to save your SAML configuration
  7. You should see a success message: "SAML configuration successfully created" or "SAML configuration successfully updated"

Assign Users in Microsoft Entra ID

Before testing, ensure users are assigned to the application:

  1. In the Microsoft Entra admin center, navigate to your Mixup application
  2. Click on Users and groups in the left sidebar (under "Manage")
  3. Click + Add user/group at the top
  4. Click on None Selected under Users
  5. Search for and select the users or groups who should have access to Mixup
  6. Click Select at the bottom
  7. Click Assign to complete the assignment

Security Best Practices

  • Regularly rotate certificates: Microsoft Entra ID certificates expire. Monitor expiration dates and update both Microsoft Entra ID and Mixup before expiry
  • Enable certificate rollover notifications: Configure Microsoft Entra ID to notify you before certificate expiration
  • Monitor access: Regularly review who has access to the Mixup application in Microsoft Entra ID
  • Use Conditional Access: Consider creating Conditional Access policies for additional security (MFA, trusted locations, device compliance)
  • Audit logs: Periodically review Microsoft Entra ID Sign-in logs for any suspicious authentication attempts
  • Least privilege: Only assign Mixup application access to users who need it
  • Enable security defaults: If not using Conditional Access, enable security defaults in Microsoft Entra ID for basic security protections

Additional Resources

This guide explains how to configure OpenID Connect authentication with Microsoft Entra ID for your organization in Mixup.

Overview

Mixup supports OpenID Connect authentication for desktop and mobile applications. This allows your users to authenticate with their Microsoft Entra ID accounts. Both SAML (for web) and OpenID Connect (for native apps) share the same user accounts based on email addresses.

Prerequisites

1. Microsoft Entra ID Application Setup

  1. Go to the Microsoft Entra admin center
  2. Navigate to App registrationsNew registration
  3. Configure your application:
    • Name: Mixup Mobile/Desktop App
    • Supported account types: Choose based on your needs
    • Redirect URI:
      • Type: Web
      • URI: https://mixup.media/api/oauth/your-org-id/callback
      • Note: This URL can be copied from the OpenID Connect tab on the Single Sign-On settings page in Mixup
  4. After registration, note down:
    • Application (client) ID
    • Directory (tenant) ID
  5. Go to Certificates & secretsNew client secret
    • Add description and expiration
    • Copy the secret value immediately (it won't be shown again)
  6. Go to API permissions
    • Add Microsoft Graph permissions:
      • User.Read (Delegated)
      • email (Delegated)
      • profile (Delegated)
    • Grant admin consent if required

2. Configure OpenID Connect in Mixup

Now you'll configure Mixup with the Microsoft Entra ID application details you gathered in Step 1.

Access OpenID Connect Configuration

  1. Log in to your Mixup account as an organization administrator.
  2. Navigate to your organization settings:
    • Click on your organization name in the sidebar
    • Select Organization Settings
    • Click on Single Sign-On in the settings menu

  3. On the Single Sign-On page, you'll see multiple tabs. Click on the OpenID Connect tab.

Configure OpenID Connect Settings

  1. You'll see the OpenID Connect configuration section with the following fields:
    • Client ID (Required):
      • Paste the Application (client) ID from Microsoft Entra ID (from Step 1, point 4)
      • Example: 12345678-1234-1234-1234-123456789012
    • Client Secret (Required):
      • Paste the client secret value you copied from Microsoft Entra ID (from Step 1, point 5)
      • Important: This is the secret value, not the secret ID
      • Example: abc123~XyZ789...
    • Tenant ID (Required):
      • Paste your Directory (tenant) ID from Microsoft Entra ID (from Step 1, point 4)
      • For multi-tenant apps, use common instead of your tenant ID
      • Example: 87654321-4321-4321-4321-210987654321 or common
    • Redirect URI (Read-only):
      • This field displays your organization's callback URL
      • Copy this URL - you'll need it in Microsoft Entra ID configuration
      • Example: https://mixup.media/api/oauth/your-org-id/callback
      • This URL was used in Step 1, point 3 when configuring the Redirect URI in Microsoft Entra ID
  2. Review all entered information to ensure accuracy.
  3. Click Save to save your OpenID Connect configuration.
  4. You should see a success message confirming that your OpenID Connect configuration has been saved.

Important Notes:

  • An organization can have SAML only, OpenID Connect only, or both configured
  • You can use the same Microsoft Entra ID application for both SAML and OpenID Connect authentication
  • The OpenID Connect credentials are encrypted in the database for security
  • Make sure the Redirect URI in Microsoft Entra ID exactly matches the one shown in Mixup

Once configured, users will be able to authenticate through their desktop and mobile Mixup applications using their Microsoft Entra credentials. The authentication process is handled automatically by the Mixup applications.

Account Linking

The OpenID Connect implementation automatically handles account linking:

  1. New user: If no user exists with the email, a new account is created
  2. Existing SAML user: If a user was created via SAML web login, the OpenID Connect flow will link the Microsoft Entra ID to the existing account
  3. Existing OpenID Connect user: If the user already authenticated via OpenID Connect, they are logged in

All authentication methods (SAML web, OpenID Connect desktop/mobile) share the same user accounts based on email addresses.

Security Considerations

  1. Client Secret Protection: Store your OpenID Connect client secret securely. Never commit it to version control or share it publicly.
  2. Token Expiration: Access tokens expire after 1 year. Users will need to re-authenticate when their tokens expire.
  3. HTTPS: All OpenID Connect communication uses HTTPS for security.

Troubleshooting

Common Issues

  1. Authentication Fails
    • Verify the Client ID, Client Secret, and Tenant ID are correct in the Identity Provider configuration
    • Ensure the redirect URI in Microsoft Entra ID matches exactly: https://mixup.media/api/oauth/your-org-id/callback (replace your-org-id with your organization's ID)
    • Check that the Microsoft Entra ID app has the required API permissions: User.Read, email, and profile
    • Verify that admin consent has been granted for these permissions if required by your organization
  2. Users Can't Sign In
    • Ensure the Microsoft Entra ID app is enabled and not expired
    • Verify that users exist in your Microsoft Entra ID tenant
    • Check that the correct account types are configured (single tenant vs. multi-tenant)

Additional Resources