docs: add azure entra saml (#7566)

docs/docs/apis/actions/code-examples.mdx

@@ -178,7 +178,7 @@ If you want to ensure that the data of a user are always update you can automati
 - External Authentication
   - [Post Authentication](./external-authentication#post-authentication)
 
-### Fields provided by Okta
+### Fields provided by Okta as OIDC IdP
 
 If you use [Okta as an identity provider](/guides/integrate/identity-providers/okta-oidc) you can improve the onboarding experience of new users by prefilling some basic information during authentication.
 
@@ -230,6 +230,32 @@ https://github.com/zitadel/actions/blob/main/examples/set_idp_picture_metadata.j
 
 </details>
 
+### Attributes provided by Okta as SAML IDP
+
+If you use [Okta as an identity provider](/guides/integrate/identity-providers/okta-saml#add-attribute-statements) you can improve the onboarding experience of new users by prefilling some basic information during authentication.
+
+<details open="">
+<summary>Code example</summary>
+
+```js reference
+https://github.com/zitadel/actions/blob/main/examples/okta_saml_prefil_register_form.js
+```
+
+</details>
+
+### Attributes provided by Microsoft Entra as SAML IDP
+
+If you use [Microsoft Entra as SAML identity provider](/guides/integrate/identity-providers/azure-ad-saml) you can improve the onboarding experience of new users by prefilling some basic information during authentication.
+
+<details open="">
+<summary>Code example</summary>
+
+```js reference
+https://github.com/zitadel/actions/blob/main/examples/entra_id_saml_prefil_register_form.js
+```
+
+</details>
+
 ### Attributes provided by a generic SAML identity provider
 
 If you use a [SAML identity provider like mocksaml](/guides/integrate/identity-providers/mocksaml) you can improve the onboarding experience of new users by prefilling some basic information during authentication.

docs/docs/guides/integrate/identity-providers/_idps_overview.mdx

@@ -5,4 +5,4 @@ Also, you see all provider templates that are available.
 
 ![Identity Provider Overview](/img/guides/zitadel_identity_provider_overview.png)
 
-<p>Select the {props.templates} Provider template.</p>
+<p>Select the <b>{props.templates}</b> Provider template.</p>

docs/docs/guides/integrate/identity-providers/azure-ad-saml.mdx

@@ -0,0 +1,116 @@
+---
+title: Configure Entra ID as a SAML Service Provider in ZITADEL
+sidebar_label: Entra ID SAML
+---
+
+import GeneralConfigDescription from './_general_config_description.mdx';
+import Intro from './_intro.mdx';
+import CustomLoginPolicy from './_custom_login_policy.mdx';
+import IDPsOverview from './_idps_overview.mdx';
+import Activate from './_activate.mdx';
+import PrefillAction from './_prefill_action.mdx';
+
+<Intro provider="Entra ID (former Azure Active Directory)"/>
+
+## Entra ID SAML Configuration
+
+You need to have access to an Entra ID Tenant. If you do not yet have one follow [this guide from Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) to create one for free.
+
+### Register a new enterprise application in Entra
+
+We start setting up the enterprise application.
+
+1. Browse to the [Enterprise App registration menu](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AppGalleryBladeV2).
+2. Search for "SAML Toolkit" and click on the "Microsoft Entra SAML Toolkit" card.
+3. Change the name if wanted and click "Create"
+
+![Azure SAML App Creation](/img/guides/azure_saml_app_create.png)
+
+### Disable required assignment
+
+To allow all users to sign in using ZITADEL we need to manually disable required assignment:
+
+1. Go to Manage > Properties
+2. Set "Assignment required?" to No
+3. Hit Save
+
+![Disable assignment required check](/img/guides/azure_disable_assignment_required.png)
+
+### Setup SAML
+
+Configure the sign-on method of the app.
+
+1. Go to Manage > Single sign-on
+2. Select SAML
+3. You will be redirected to the Single Sign-On details page
+4. Copy the URL of SAML Certificates > App Federation Metadata Url to your clipboard
+
+![Azure Entra overview](/img/guides/azure_saml_overview.png)
+
+## ZITADEL Configuration
+
+### Add custom login policy
+
+<CustomLoginPolicy/>
+
+### Go to the IdP Providers Overview
+
+<IDPsOverview templates="SAML SP"/>
+
+### Create a new SAML SP
+
+Now we configure the identity provider on ZITADEL.
+
+1. Set a name like "Microsoft Entra"
+2. Paste the previously copied URL into the "Metadata URL"-field. The metadata will automatically be fetched from the provided URL after creation.
+3. Select the "SAML_POST_BINDING" as binding
+4. Ensure that the "Signed Request"-box is ticked
+5. Change the options if needed. Microsoft Entra works out of the box using the pre configured options.
+6. Click Create
+
+<GeneralConfigDescription provider_account="Microsoft account" />
+
+![Azure SAML App Creation](/img/guides/zitadel_azure_saml_provider.png)
+
+### Activate IdP
+
+<Activate/>
+
+![Activate Azure SAML Provider](/img/guides/zitadel_activate_azure_saml.png)
+
+## Configure Basic SAML Configuration
+
+Now we set the links in Microsoft Entra
+
+1. Go to Microsoft Entra > Manage > Single sign-on
+2. Edit the "Basic SAML Configuration"
+3. Enter the following URL in "Identifier (Entity ID)": `<YOUR-ZITADEL-DOMAIN>/idps/<IDP-ID>/saml/metadata`
+4. Enter the following URL in "Reply URL (Assertion Consumer Service URL)": `<YOUR-ZITADEL-DOMAIN>/ui/login/login/externalidp/saml/acs`
+5. Enter the following URL in "Sign on URL": `<YOUR-ZITADEL-DOMAIN>/ui/login/login/externalidp/saml/acs`
+6. Hit Save
+
+![Azure Entra configuration overview](/img/guides/azure_saml_overview2.png)
+
+## Test the setup
+
+<p>
+To test the setup, use incognito mode and browse to your login page.
+You see a new button which redirects you to Microsoft Entra screen.
+</p>
+
+By default, ZITADEL shows what you define in the default settings.
+If you overwrite the default settings for an organization, you need to send the organization scope in your auth request.
+
+![Azure Entra Button](/img/guides/zitadel_login_azure_saml.png)
+
+Click **Microsoft Entra**
+
+![Entra ID Login](/img/guides/microsoft_login.png)
+
+### Add Action to map user attributes
+
+<PrefillAction fields="username, firstname, lastname, displayname, email and email verified" provider="Entra"/>
+
+```js reference
+https://github.com/zitadel/actions/blob/main/examples/entra_id_saml_prefil_register_form.js
+```

docs/docs/guides/integrate/identity-providers/migrate.mdx

@@ -22,7 +22,7 @@ The available configuration is described in [Google Configuration](./google).
 
 ### Entra ID Configuration
 
-The available configuration is described in [Entra ID Configuration](./azure-ad).
+The available configuration is described in [Entra ID Configuration](./azure-ad-oidc).
 
 ## Migrate with Terraform
 

docs/docs/guides/integrate/login/login-users.mdx

@@ -134,7 +134,7 @@ With the hosted login page from ZITADEL developers will get the best support for
 ZITADEL acts as an [identity broker](/docs/concepts/features/identity-brokering) between your applications and different external identity providers, reducing the implementation effort for developers.
 External Identity providers can be configured for the whole instance or for each organization that represents a group of users such as a B2B customer or organizational unit.
 
-ZITADEL offers various [identity provider templates](/docs/guides/integrate/identity-providers) to integrate providers such as [Okta](/docs/guides/integrate/identity-providers/okta-oidc), [Entra ID](/docs/guides/integrate/identity-providers/azure-ad) or on-premise [LDAP](/docs/guides/integrate/identity-providers/ldap).
+ZITADEL offers various [identity provider templates](/docs/guides/integrate/identity-providers) to integrate providers such as [Okta](/docs/guides/integrate/identity-providers/okta-oidc), [Entra ID](/docs/guides/integrate/identity-providers/azure-ad-oidc) or on-premise [LDAP](/docs/guides/integrate/identity-providers/ldap).
 
 ### Multi-tenancy authentication
 
@@ -146,7 +146,7 @@ Key features include:
 2. **Custom Authentication Configurations**: Allows tailored [authentication settings](/docs/guides/manage/console/default-settings#login-behavior-and-access), [branding](/docs/guides/manage/customize/branding), and policies for each tenant.
 3. **Centralized Management**: Provides [centralized administration](/docs/guides/manage/console/managers) for efficient management across all tenants.
 4. **Scalability and Flexibility**: Scales seamlessly to accommodate growing organizations of all sizes.
-5. **Domain Discovery**: Starting on a central login page, route users to their tenant based on their email address or other user attributes. Authentication settings will be applied automatically based on the organization's policies, this includes routing users seamlessly to third party identity providers like [Entra ID](/docs/guides/integrate/identity-providers/azure-ad).
+5. **Domain Discovery**: Starting on a central login page, route users to their tenant based on their email address or other user attributes. Authentication settings will be applied automatically based on the organization's policies, this includes routing users seamlessly to third party identity providers like [Entra ID](/docs/guides/integrate/identity-providers/azure-ad-oidc).
 
 ### Customization options
 

docs/docs/guides/solution-scenarios/domain-discovery.mdx

@@ -15,7 +15,7 @@ In the example there is a service provider with a ZITADEL instance running on a
 By default all users login on the organization **CIAM** with their preferred social login provider.
 
 Users of the two business customers **Alpha** and **Beta** should login according to their organization login and access policy settings.
-In case of Alpha users will login via an external identity provider (eg, [Entra ID](/docs/guides/integrate/identity-providers/azure-ad)).
+In case of Alpha users will login via an external identity provider (eg, [Entra ID](/docs/guides/integrate/identity-providers/azure-ad-oidc)).
 Beta users must only login with username/password and MFA instead.
 
 For this scenario you need to route the user `alice@alpha.com` to the **Alpha Organization** and `bob@beta.com` to the **Beta Organization** respectively.

docs/sidebars.js

@@ -342,7 +342,8 @@ module.exports = {
           collapsed: true,
           items: [
             "guides/integrate/identity-providers/google",
-            "guides/integrate/identity-providers/azure-ad",
+            "guides/integrate/identity-providers/azure-ad-oidc",
+            "guides/integrate/identity-providers/azure-ad-saml",
             "guides/integrate/identity-providers/github",
             "guides/integrate/identity-providers/gitlab",
             "guides/integrate/identity-providers/apple",