Use SAML authentication with Microsoft Entra

You can use Security Assertion Markup Language (SAML) protocol to integrate Microsoft Entra’s Azure AD SSO as a new identity provider for Unity Version Control Enterprise Edition (also called Plastic On-Premises). This authentication method allows you and your team to use their existing Microsoft credentials to authenticate with Plastic through both the console, the graphical user interface, and the web application. You can use the Microsoft Graph API to configure Plastic users and groups with access to Entra.

After configuration, Unity Version Control uses an internal token system that periodically checks the token against user credentials based on an absolute session expiration date.

Note: SAML authentication with Microsoft Entra is available from Unity Version Control Enterprise version 11.0.16.8622. This version enables SAML authentication by default and ignores the SAMLAuthenticationEnabled feature flag.

For more information, you can refer to SAML authentication (Microsoft) and SAML protocol (Microsoft).

SAML tokens

Note: SAML protocol is intended for a web environment, so Unity Version Control handles sessions in a slightly different way to the standard SAML workflow.

When you authenticate and generate a token, you can use that token to perform authenticated operations against your on-premises Unity Version Control server. This token is internal and allows you to operate for a set amount of days, which is the absolute session duration. You can also set a maximum time period for these tokens in your Plastic server settings.

To renew a token, you need to use the standard SAML process and authenticate against Microsoft Entra through your web browser. The GUI automatically prompts you to renew your token when it expires, and the CLI displays a link in the console that you can open to renew.

If a user isn’t active in Azure, or changes their password while in an active Plastic session, the token automatically revokes.

SAML Authentication workflow

  1. Configure Azure
    1. Create an app registration
    2. Set up endpoints
    3. Create a new secret
    4. Set permissions
  2. Configure your Plastic server through one of the following options:
  3. Configure your Plastic client through one of the following options:

Prerequisites

To set up the Unity Version Control SAML integration with Microsoft Entra, you need the following items:

  • An Azure subscription.
  • Access to an Azure APP registration to set up the endpoints and authorization parameters.
  • Contact with your Azure administrator to grant permissions to the Graph API elements you need to query users and groups.

Configure Azure

There are several thing you need to configure in your Azure portal in order to set up this integration. You need to create an app registration, set up the endpoints and permissions, and get the authentication details.

Create an app registration

  1. Select App registrations > New registration.
  2. Enter a name for your new app registration.
  3. In the Supported account types section, select Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant).
  4. Select Register.

This gives you the Application (client) ID and the Directory (tenant) ID. To view all of the endpoints that Azure generates for this application, select the Endpoints tab.

Set up endpoints

  1. In your new app registration, select Authentication > Add a platform, and select a Web platform.
  2. In the Redirect URIs field, add the SAML callback endpoint. For example, https://localhost:7179/account/saml-callback.
  3. You can optionally add an extra URL to enable Single Log out functionality that revokes the authentication token in Plastic when you log out from the Azure Active Directory.
  4. Select Configure.

Create a new secret

  1. In your new app registration, select Certificates and secrets > New client secret.
  2. Enter the name or description of the secret and select the expiration time period.
  3. Select Add to generate the secret’s Value and Secret ID.

Set permissions

Note: The Azure account administrator needs to authorize these permissions, so you may need to contact them.

  1. In your new app registration, select API permissions > Add a permission.
  2. Select Microsoft Graft > Application Permissions.
  3. Use the search to add the Group.Read.All and User.Read.All permissions.
  4. Select the Add permissions button.

Configure your Plastic server

You need to configure SAML mode in your Plastic server. You can do this through the Web interface, or through the CLI.

Web administration setup

SAML authentication is enabled by default and the Plastic authentication interface displays the option to choose SAML as your preferred working mode. You can configure your SAML mode in the SAML details section, and select Save. This modifies your server.conf file with your new configuration parameters.

A screenshot of the Plastic Web page that you use to configure SAML authentication.

CLI setup

  1. From the path C:\wkspaces\codice\01plastic\bin\server, enter .\plasticd configure to open the server configuration wizard.
  2. Select a language.
  3. Select your server port numbers.
    • Server TCP listening port [8087]: 8084
    • Server SSL secured port [8088]: 8088
  4. Select the SAMLWorkingMode (SAML) authentication mode.
  5. Enter the following authentication data:
    • SAML Authentication - Sign-in URL (SAML-P sign-on endpoint)
    • SAML Authentication - IdP metadata (federation metadata document)
    • SAML Authentication - Application (client) Id
    • SAML Authentication - Absolute session validity in days [14]
    • Graph API - Application registration tenant Id
    • Graph API - Application registration client Id
    • Graph API - Application registration client secret
  6. Press Enter to skip the License token.

This modifies the configured SAML parameters in your server.conf file.

Configure your Plastic client

You need to configure SAML mode in your Plastic client. You can do this either through the CLI, or through a graphical user interface.

CLI client setup

To configure the client, configure and initiate the server in SAML mode:

  1. Start the server: .\plasticd --console.
  2. Enter cm configure to open the Client configuration wizard.
  3. Select a language.
  4. Enter your server address. This is in the format <ServerName>:.
  5. Paste the provided URL into your browser to open it.
  6. You can optionally configure a proxy server. Press enter to skip this option.

With a correctly configured client, when you log in, you generate an internal token in the tokens.conf file. This file also contains a session token with the data you configure on the server.

Example tokens

Internal token:

{
    "sub": "d65ccf6c-570c-44b6-bf71-4378b4dc271f",
    "atk":
"eyJhbGci0iJIUZI1NiIsInR5cCI6IkpXVCJ9.eyJzZXNzaW9uSWQiOiJfZTM2MjgzMjgtMTAZOS00MTVmLWFiYzItYzdjZTNhYzYzMDBiIiwic2Vzc21vbkV4cGlyYXRpb25EYXR1VXRjVGlja3Mi0jYZODQxNzAyNTA2NZEzNjk1MSwidG9rZW5EdXJhdGlvbkluTWludXRlcy16NjUsImV4cCI6MTcwNjEwNTcwNne.nETSFU1U1n_YfC5EZUhU-chccWBE-75ehdwctpLVFb4",
    "exp": 1704899706
}

Session data token:

{
    "sessionId": "_e3628328-1039-415f-abc2-c7ce3ac6300b",
    "sessionExpiration Date UtcTicks": 638417025067136900,
    "tokenDurationInMinutes" : 65,
    "exp": 1706105706
}

Plastic GUI and Gluon setup

If you open the Plastic GUI without a client configured, the GUI displays a window to connect to a new server:

  1. Select Scan network.
  2. Select the server you want and then select Connect.
  3. In the opened browser, sign in to your account.
Unity logo Documentation
Copyright © 2025 Unity Technologies
"Unity", Unity logos, and other Unity trademarks are trademarks or registered trademarks of Unity Technologies or its affiliates in the U.S. and elsewhere (more info here). Other names or brands are trademarks of their respective owners.