To set up Single Sign On using Carousel and Entra ID you'll need to have administrator access in both systems and have two browser windows open. Ensure you have access to Entra ID premium and then follow these steps.
Instructions
Log in to Carousel in one browser window and navigate to Settings > Users > Single Sign On
Click the 'New Identity Provider' button.
Log in to Entra ID in the other browser window and Add an Enterprise Application.
Choose a Non-Gallery application, give it a name and click 'create'
Choose Users and Groups and Add Users to the application. You will still need to create users in Carousel using their email address and provide them with the desired access rights for Carousel.
Next, Select Set up Single Sign On and Choose SAML as the method
Use this information from the Carousel window...
...to fill in this information in Entra ID.
ACS Route → Reply URL (Assertion Consumer Service URL)
Entity ID → Identifier (Entity ID)
https://your_carousel_server/Carousel/login → Sign On Url
Download the Base64 encoded Certificate file, open it in a text editor and copy the contents, then use it and the information found in this section...
...to populate the fields in Carousel seen here.
Name of your choosing
Login URL → Sign On Url
Entra ID Identifier → Identity Issuer Id
Text of 509 Certificate → x509 Certificate
Login with SSO only can be turned on or off, based on your own preferences.
Optional logo file (use a png with transparency)
Selecting the SSO ONLY toggle will configure the system so that only site admins will be able to log in using an email/password.
Finally, log out of Carousel and then test the integration and make sure you can log in with Entra ID. Please note - Users’ email addresses are not necessarily their AD Principal Name. Using their AD Principal Name may be necessary depending on your setup.
Congratulations! You can now use Entra ID Single Sign On to log into your Carousel server.
Additional Information
We're extracting the username by looking up the principal's http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier claim—this would be your email—and we use that value to match against known Carousel users.
The
nameidentifiershould match the Carousel user's email. If not, you can set the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name claims to the user.email