Prerequisites
- Admin access to your RansomLeak tenant
- The Application Administrator role in Entra ID
- Entra email matches each user's RansomLeak email
Your tenant is reachable at https://<your-subdomain>.ransomleak.com. Replace
<your-subdomain> with your own subdomain throughout this guide.
Supported features
- SP-initiated SSO
- IdP-initiated SSO
- Just-In-Time user matching
- Single Logout (SLO)
- Force authentication
- SHA-256 signed assertions
RansomLeak requires SHA-256 signed assertions, which is the Entra ID default. Entra signs the assertion rather than the response envelope; RansomLeak accepts both.
Before you enable SAML
Once SAML is enabled for your tenant, your users authenticate through Microsoft Entra ID. If you need to turn SAML off temporarily, contact RansomLeak support and we will disable it for your tenant.
Configuration steps
RansomLeak provisions SAML per tenant. You create the RansomLeak enterprise application in Entra ID, then send us your Entra IdP details so we can configure the Service Provider side for your tenant.
-
In the Microsoft Entra admin center, go to Enterprise applications → New application → Create your own application. Name it RansomLeak, choose Integrate any other application you don't find in the gallery (Non-gallery), then select Create.
-
Open Single sign-on → SAML. Under Basic SAML Configuration, set:
Identifier (Entity ID)https://<subdomain>.ransomleak.comReply URL (ACS)https://<subdomain>.ransomleak.com/api/auth/saml/callbackSign on URLhttps://<subdomain>.ransomleak.com/app/login -
Under Attributes & Claims, set the unique user identifier (Name ID) to
user.mailin Email address format, and add the three claims in the table below. -
In SAML Certificates, download Certificate (Base64). From the Set up RansomLeak section, copy the Login URL and the Microsoft Entra Identifier.
-
Send those three values to support@ransomleak.com and ask us to enable SAML SSO for your tenant. We configure the SP side and confirm when it is live. For reference, your tenant's SP endpoints are:
ACS URLhttps://<subdomain>.ransomleak.com/api/auth/saml/callbackEntity IDhttps://<subdomain>.ransomleak.comMetadatahttps://<subdomain>.ransomleak.com/api/auth/saml/metadata -
Under Users and groups, assign your test users or groups to the application.
Attribute mapping
The Name ID must be the user's email address (Email address format). RansomLeak reads three claims from the assertion. Add each one with the exact claim name shown, with no namespace prefix.
| Claim name | Entra source |
|---|---|
email | user.mail |
firstName | user.givenname |
lastName | user.surname |
Match the Name ID to the user's email. RansomLeak links accounts by email,
so the Name ID must resolve to user.mail. If your users' email differs from
their userPrincipalName, keep user.mail as the Name ID source so
sign-in matches the same account that provisioning creates.
Role mapping (optional). RansomLeak can map a SAML claim to a tenant role. To drive roles from Entra ID, add a role or group claim and tell us which claim to map.
SP-initiated sign-in
-
Go to your RansomLeak sign-in page:
https://<subdomain>.ransomleak.com/app/login Choose Sign in with SSO. You are redirected to Microsoft.
-
After you authenticate with Entra ID, you land back on the RansomLeak dashboard.
Troubleshooting
| Symptom | Fix |
|---|---|
| "AADSTS50011" reply URL mismatch | The Reply URL in Entra must be https://<subdomain>.ransomleak.com/api/auth/saml/callback, character for character. |
| Redirect loop or "invalid audience" | Confirm the Identifier (Entity ID) in Entra matches https://<subdomain>.ransomleak.com. |
| "User not found" | The Name ID email must match the user's RansomLeak account email. Confirm the Name ID resolves to user.mail. |
Need a hand?
Email support@ransomleak.com and we will help you connect Microsoft Entra ID to your tenant.