How to Set Up Azure SSO with the LoginSAML Plugin in Matomo

Setting up Azure Single Sign-On (SSO) with the LoginSAML plugin in Matomo allows users to authenticate securely using Microsoft Entra ID (formerly Azure AD).

This guide walks you through configuring Azure as the Identity Provider (IdP) and Matomo as the Service Provider (SP) for seamless SSO access.

1. Log in to the Microsoft Entra admin center.

2. From the left menu, select Applications > Enterprise Applications.
   

3. Click New application to create a new application.
   

4. Click Create your own application.
   

5. Enter a name for your application and select Integrate any other application you don’t find in the gallery (Non-gallery).
   

6. After the application is created, navigate to Manage > Single sign-on.

7. Click SAML as the single sign-on method.
   

8. To configure SAML, click the Edit button in the Basic SAML Configuration section.
   

9. The edit option requires two compulsory values: Entity ID and Assertion Consumer Service URL.

   • 9.a Log in to your Matomo instance as a Superuser.
   • 9.b Navigate to Admin > System > SAML
   • 9.c Click Access to SP metadata.
     
   • 9.d Copy the Entity ID and Assertion Consumer Service URL values.
     
   • 9.e Enter these values in the corresponding fields on Azure Basic SAML Configuration section and click Save.
     

   Note: If your Matomo installation is accessible under multiple domains or hostnames (e.g., analytics.example.com and stats.example.org), you need to ensure that each domain is registered. To do this, add an Identifier and Reply URL for each domain by selecting Add Identifier and Add Reply URL in your SAML configuration. SAML authentication will only work for domains that have been added.

   How do I know if I have multiple domains?
   If users can access your Matomo instance using different URLs, or if your organisation has set up multiple subdomains or hostnames for analytics, you likely need to add them. If you’re unsure, check with your analytics team, Matomo Cloud support, or review your Matomo server configuration.

   If a required domain is missing, users may encounter this error when logging in: « Application with identifier is not found in this directory« .

   Note: Microsoft Entra ID (formerly Azure AD) does not support the SessionNotOnOrAfter attribute in SAML assertions. Therefore, session lifetimes cannot be controlled via the SAML response and will adhere to Entra ID’s default session policies.

10. Close the Basic SAML Configuration section once the values are saved.

11. Click the Download link under Federation Metadata XML located in the SAML Certificates section.
    

12. Navigate back to the Matomo SAML interface at Admin > System > SAML.

13. Click Import Values from IdP Metadata.
    

14. Paste the contents from the file downloaded in step 11 into the Metadata XML field.
    

15. Click Import.

16. Navigate back to the Matomo SAML interface at Admin > System > SAML.

17. Update the Field to identify setting to email and click save if not selected already.
    

18. Update the Attribute Mapping Settings as below and click Save.
    

19. Update the NameID format as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    

20. Enable SAML authentication and click save.
    

21. Add appropriate users/groups into your Azure application.
    

You have successfully configured Azure (Entra) as SSO for Matomo. To test this, log out and attempt to log in using the SAML Login button on the Sign in screen.