Platform

Set Up SSO with Azure AD


Supabase supports single sign-on (SSO) using Microsoft Azure AD.

Step 1: Add and register an Enterprise application

Open up the Azure Active Directory dashboard for your Azure account.

Click the Add button then Enterprise application.

Azure AD console: Default Directory Overview

Step 2: Choose to create your own application

You'll be using the custom enterprise application setup for Supabase.

Azure AD console: Browse Azure AD Gallery, select: Create your own application

Step 3: Fill in application details

In the modal titled Create your own application, enter a display name for Supabase. This is the name your Azure AD users will see when signing in to Supabase from Azure. Supabase works in most cases.

Make sure to choose the third option: Integrate any other application you don't find in the gallery (Non-gallery).

Azure AD console: Create your own application modal

Step 4: Set up single sign-on

Before you get to assigning users and groups, which would allow accounts in Azure AD to access Supabase, you need to configure the SAML details that allows Supabase to accept sign in requests from Azure AD.

Azure AD console: Supabase custom enterprise application, selected Set up single sign-on

Step 5: Select SAML single sign-on method

Supabase only supports the SAML 2.0 protocol for Single Sign-On, which is an industry standard.

Azure AD console: Supabase application, Single sign-on configuration screen, selected SAML

Step 6: Upload SAML-based sign-on metadata file

First you need to download Supabase's SAML metadata file. Click the button below to initiate a download of the file.

Alternatively, visit this page to initiate a download: https://alt.supabase.io/auth/v1/sso/saml/metadata?download=true

Click on the Upload metadata file option in the toolbar and select the file you just downloaded.

Azure AD console: Supabase application, SAML-based Sign-on screen, selected Upload metadata file button

All of the correct information should automatically populate the Basic SAML Configuration screen as shown.

Azure AD console: Supabase application, SAML-based Sign-on screen, Basic SAML Configuration shown

Make sure you input these additional settings.

SettingValue
Sign on URLhttps://supabase.com/dashboard/sign-in-sso
Relay Statehttps://supabase.com/dashboard

Finally, click the Save button to save the configuration.

Step 7: Obtain metadata URL

Save the link under App Federation Metadata URL in *section 3 SAML Certificates*. You will need to enter this URL later in Step 10.

Azure AD console: Supabase application, SAML Certificates card shown, App Federation Metadata Url highlighted

Step 8: Enable SSO in the Dashboard

  1. Visit the SSO tab under the Organization Settings page. SSO disabled

  2. Toggle Enable Single Sign-On to begin configuration. Once enabled, the configuration form appears. SSO enabled

Step 9: Configure domains

Enter one or more domains associated with your users email addresses (e.g., supabase.com). These domains determine which users are eligible to sign in via SSO.

Domain configuration

If your organization uses more than one email domain - for example, supabase.com for staff and supabase.io for contractors - you can add multiple domains here. All listed domains will be authorized for SSO sign-in.

Domain configuration with multiple domains

Step 10: Configure metadata

Enter the metadata URL you obtained from Step 7 into the Metadata URL field:

Metadata configuration with Azure AD

Step 11: Configure attribute mapping

Fill out the Attribute Mapping section using the Azure preset.

Attribute mapping configuration

Step 12: Join organization on signup (optional)

By default this setting is disabled, users logging in via SSO will not be added to your organization automatically.

Auto-join disabled

Toggle this on if you want SSO-authenticated users to be automatically added to your organization when they log in via SSO.

Auto-join enable

When auto-join is enabled, you can choose the default role for new users:

Auto-join role selection

Choose a role that fits the level of access you want to grant to new members.

Step 13: Save changes and test single sign-on

When you click Save changes, your new SSO configuration is applied immediately. From that moment, any user with an email address matching one of your configured domains who visits your organization's sign-in URL will be routed through the SSO flow.

We recommend asking a few users to test signing in via their Azure AD account. They can do this by entering their email address on the Sign in with SSO page.

If SSO sign-in doesn't work as expected, contact your Supabase support representative for assistance.