Getting started

Integration & migration

Image & video API

DAM user guide

API overview

Account

Azure Active Directory SSO Setup

Learn how to set up Single Sign-On (SSO) for ImageKit using Azure Active Directory as the Identity Provider (IdP).


There are two main steps required to set up SSO using Azure on ImageKit:

  1. Create an Azure AD application
  2. Enable SSO login on ImageKit

Azure subscription
Although you may use a free account on Azure to set up and test the SSO application, having a premium Azure subscription is recommended for seamless role provisioning for your users. Read more here.

If you want to configure multiple unique instances of ImageKit SSO apps within a single instance of Azure Active Directory, click here.

Create an Azure AD application

First, you need to create an application on Azure Active Directory and generate a Federation Metadata XML file.

You may refer to the official documentation by Microsoft here or follow our brief guide below:

  1. Log in to Microsoft Azure portal and open Azure Active Directory
  2. Navigate to the "Enterprise applications" screen using the side navigation menu
  3. Click the "New application" button, then click on "Create your own application"
  4. In the form that opens up, choose the "Non-gallery application" radio button as shown below.
  5. Input a name for the application, we will use "ImageKit" for this guide.

Click "Create" and wait until you are redirected to the application page.

Configure single sign-on options

On the application page, navigate to the 'Single sign-on' screen. Select "SAML" as the single sign-on method.

Basic SAML configuration

On the next screen, we will configure various authentication URLs as shown:

FieldValue
Identifierhttps://imagekit.io/saml/consume
Reply URLhttps://imagekit.io/saml/consume
Relay Statehttps://imagekit.io/dashboard
Logout Urlhttps://imagekit.io/logout

Attributes and claims

Now you need to specify four keys that ImageKit uses to authorize and provision your users:

Field Description Claim composition
Unique User IdentifierThe unique email address of the user that will be used to identify them on ImageKit.user.mail
imagekit_idThe ImageKit ID of your organization account.<your_imagekit_id>
full_nameThe full name of the user. It can be a combination of their given name and surname on Azure AD.Join (user.givenname, " ", user.surname)

imagekit_role

The role to assign to the user on ImageKit which would decide their access privileges.

Accepted values of this key in the SAML response sent to ImageKit are:

  • account_administrator
  • developer
  • media_library_full_access
  • media_library_view_only_access
  • media_library_restricted_access
  • finance

Read more about different ImageKit roles and their privileges here.

user.<your_custom_attribute> OR a custom transformation, as per your Azure user schema.

The final computed value of this claim must be one of the accepted role strings from the list specified alongside.

For the purpose of this guide, we will map "imagekit_role" to user.department Azure key. Ensure that this field is populated correctly in your Azure user object while testing the app.

Save the list of attributes and claims to finish this step.

Federation Metadata XML

Download the Federation Metadata XML file and keep it in a safe location. You will need to upload this XML file to your ImageKit account in a later step.

Assign users to the SSO application on Azure

Refer to the official Microsoft guide to assign users to the ImageKit application.

Enable SSO login on ImageKit

If you have administrator privileges on your ImageKit account, you can enable SSO for all the users in your account as follows:

  1. Navigate to the Settings page.
  2. Open the Federation Metadata XML file (which was downloaded previously) in a text editor of your choice.
  3. Copy and paste the entire contents of the file into the Metadata XML input box.
  4. Click on the 'Save' button.

Your users should now be able to use Microsoft Azure SSO to log into ImageKit. You can verify this by clicking the 'Test' button on the 'Single sign-on' set up screen on Azure.

First-time login

SSO users would need to initiate their very first login on ImageKit through the Azure app by navigating to their My Apps page.

After their first login, they may use the ImageKit SSO login page for signing in to ImageKit directly. Read more here.

Disable SSO login on ImageKit

You can disable SSO login for the users on your ImageKit account by deleting the Metadata XML.

To do so, navigate to the Settings page and click on the 'Delete' button.

Creating multiple unique instances of ImageKit SSO application within Azure

Azure Active Directory requires the Identifier or EntityID to be unique across the organization's applications.

However, you may want to create multiple unique instances of SSO application for use with ImageKit within a single Azure Active Directory instance – for example, if you have an agency account that manages SSO for multiple child accounts within your own company organization.

To do this, you can attach a hash suffix with the unique imagekit_id to the Identifier (EntityID) and Reply URL of each such child account.

The SAML configuration of each such app then becomes similar to the following, where child_imagekit_id is the unique imagekit_id of that child account:

FieldValue
Identifierhttps://imagekit.io/saml/consume#child_imagekit_id
Reply URLhttps://imagekit.io/saml/consume#child_imagekit_id
Relay Statehttps://imagekit.io/dashboard
Logout Urlhttps://imagekit.io/logout

To ensure that the login flow initiated from ImageKit works smoothly, save the new unique Identifier URL in the Entity ID field on the ImageKit dashboard SSO settings page of the child account.

If the Entity ID field value is removed, then the account will revert to following the default value of Identifier and Reply URL when SSO login is initiated from ImageKit, i.e. https://imagekit.io/saml/consume.