NinjaCat

This document is technical in nature, and written for people who manage SSO for an organization that is also a Shape customer.

Getting started with Shape SSO is simple. Just follow these steps and send us the right details—we’ll handle the rest.

___________________________________________________________

1. Create the App in Microsoft Entra ID

Go to Enterprise applications → New application → Create your own application.

Choose Integrate any other application you don’t find in the gallery.

- Go to Enterprise applications → New application → Create your own application.
- Choose Integrate any other application you don’t find in the gallery.
- Select SAML for single sign-on.

Reply URL (ACS): <a href="https://shape.io/sso-auth" rel="nofollow noopener noreferrer" target="_blank">https://shape.io/sso-auth</a>

Sign-on URL (optional): <a href="https://shape.io/login" rel="nofollow noopener noreferrer" target="_blank">https://shape.io/login</a>

- Entity ID: shape.io
- Reply URL (ACS): <a href="https://shape.io/sso-auth" rel="nofollow noopener noreferrer" target="_blank">https://shape.io/sso-auth</a>
- Sign-on URL (optional): <a href="https://shape.io/login" rel="nofollow noopener noreferrer" target="_blank">https://shape.io/login</a>

NameID value: map to your users’ email (e.g. user.mail or user.userprincipalname if it matches their Shape email).

- NameID format: EmailAddress
- NameID value: map to your users’ email (e.g. user.mail or user.userprincipalname if it matches their Shape email).

Signing Option: Sign SAML response (response-level signing).

- Signing Option: Sign SAML response (response-level signing).
- Algorithm: SHA-256 (default).

5. Download Certificate &amp; Copy Login URL

Download the Certificate (Base64).

- Download the Certificate (Base64).
- Copy the Login URL (SSO URL).

- Your Login URL
- The Base64 PEM certificate
- A sample user email for testing

Once we have the items from Step 6, we'll coordinate with you to add a test user to our SSO testing agency within Shape. This will allow you to verify for a single user that everything is configured properly and working as expected on both sides. Once testing is complete, SSO will be activated for your organization.

👉  That’s it! With those details, we’ll finalize the setup and ensure your team can sign in to Shape seamlessly with Microsoft.

Most setups work smoothly, but if something isn’t right, here are the most common fixes:

Make sure NameID format is set to EmailAddress.

Map it to user.mail (or user.userprincipalname if that matches the Shape email).

- Make sure NameID format is set to EmailAddress.
- Map it to user.mail (or user.userprincipalname if that matches the Shape email).

🚫 Error: “Invalid Signature”

Ensure Microsoft Entra is set to sign the SAML response (not just the assertion).

Double-check that the current Base64 PEM certificate is the one you shared with Shape.

- Ensure Microsoft Entra is set to sign the SAML response (not just the assertion).
- Double-check that the current Base64 PEM certificate is the one you shared with Shape.

🚫 Error: “Access denied after sign-in”

Confirm the user is assigned to the Shape app in Microsoft Entra.

Verify the user also exists and is active in Shape.

- Confirm the user is assigned to the Shape app in Microsoft Entra.
- Verify the user also exists and is active in Shape.

When Microsoft Entra issues a new certificate, send it to Shape Support before making the switch to avoid downtime.

- When Microsoft Entra issues a new certificate, send it to Shape Support before making the switch to avoid downtime.

👉 If you’re still stuck, contact Shape Support with:

A sample user email used for testing

- Your Login URL
- Your PEM certificate
- A sample user email used for testing

With Shape, you can use Microsoft Entra ID (formerly Azure AD) for secure Single Sign-On (SSO). This guide walks you through the setup so your team can log in with their Microsoft accounts.

Microsoft Entra ID (Azure AD) SSO Setup for Shape

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Microsoft Entra ID (Azure AD) SSO Setup for Shape

1. Create the App in Microsoft Entra ID

2. Configure SAML Basics

3. Set Attributes & Claims

4. SAML Signing Certificate

5. Download Certificate & Copy Login URL

6. Send Details to Shape

7. Test Before Going Live

SSO Troubleshooting Cheat Sheet

🚫 Error: “NameID not set”

🚫 Error: “Invalid Signature”

🚫 Error: “Access denied after sign-in”

🔄 Certificate Rotation