Cutover reference · SSO completed June 2026

Scroll Sites SAML Cutover Guide

Target URL documentation.amalga.health

Minute 0-10

Decide the meeting mode before making changes.

The full setup is not realistic from zero in one hour. Use this guide to choose the right path, keep token access intact until SAML is proven, and avoid wasting the meeting on blocked production work.

Cutover

Only if the domain is active, Entra is staged, users are ready, and MFA is Report-only.

Prep

Most likely. Add or verify DNS, stage Entra, capture screenshots, then wait for Active domain.

Blocked

If admin access or rollback ownership is missing, name owners and stop production changes.

Go/No-Go gates

Production cutover is allowed only when every gate is green.

Check the gates above before choosing the meeting mode.

Most likely agenda

If the domain is not active, use the hour for prep.

  1. Confirm access and roles.Name DNS, Scroll Sites, Entra, testing, and recorder owners.
  2. Freeze current DNS.Screenshot Squarespace DNS and security records before adding anything.
  3. Generate Scroll Sites CNAMEs.Start custom-domain setup and copy domain-validation plus certificate-validation records.
  4. Add or verify Squarespace CNAMEs.Use exact generated values. Do not change nameservers, mail, SPF, DKIM, DMARC, or Atlassian records.
  5. Stage Entra.Create or verify the group, Enterprise Application, test users, and Report-only MFA policy.
  6. Decide next step.If the domain is not Active, schedule the real cutover after validation completes.

Step-by-step prep

Use these steps if the full cutover is not ready.

This is the detailed path to follow in tomorrow's meeting if you are still preparing DNS, Scroll Sites, Entra, or test users.

Important order: before changing anything, confirm access and screenshot the current DNS. The first setup action is Scroll Sites, because Scroll Sites generates the exact CNAME records you then add in Squarespace.

1

Confirm admin access and assign meeting roles

Goal: make sure the right people are in the room before anyone changes production settings.

  • Driver: one person shares screen and performs changes.
  • Scroll Sites admin: can open Confluence → Apps → Scroll Sites → Domains & Security.
  • DNS admin: can open Squarespace → Amalga.health → DNS → DNS Settings → Custom records.
  • Entra admin: can manage Enterprise Applications, groups, SAML, Conditional Access, and sign-in logs.
  • Tester: has assigned internal, assigned guest, and unassigned test users ready.
  • Recorder: captures screenshots, timestamps, generated values, and decisions.

Stop if admin access is missing. Use the meeting to name owners and blockers only.

2

Freeze the current Squarespace DNS state

Open:

Squarespace
  → Amalga.health
  → DNS
  → DNS Settings
  → Custom records

Take screenshots of:

  • Domains list.
  • DNS page.
  • DNS Settings.
  • Custom records.
  • Security or CAA records, if visible.

Do not touch: Microsoft 365 mail, Atlassian, DKIM, SPF, DMARC, Google verification, or autodiscover records.

Success: you have rollback screenshots and no existing record conflict has been ignored.

3

First setup action: start custom-domain setup in Scroll Sites

Open:

Confluence
  → Apps
  → Scroll Sites
  → Domains & Security
  → Set up a custom domain

Enter: documentation.amalga.health

Copy the two generated CNAME records:

  • Domain validation CNAME: proves control of the subdomain.
  • Certificate validation CNAME: lets AWS Certificate Manager issue HTTPS certificate.

Do not: use the root domain, invent a CNAME target, include https://, include a trailing slash, create an A record, use URL forwarding, or change nameservers.

Success: exact generated CNAME names and values are saved in the meeting notes.

4

Then add the generated CNAME records in Squarespace

Open: DNS Settings → Custom records → Add record.

Domain validationType: CNAMEName: documentationData: 2448ae4c-3c09-4781-b354-0eee3097724c.sites-2.viewport.k15t.app
Certificate validationType: CNAMEName: _e71979def27c6d6ea0e7bab7b1042658.documentationData: _1c08b101ddb774050a2f88fdd344a627.jkddzztszm.acm-validations.aws

Name conversion:

  • documentation.amalga.health becomes documentation.
  • _e71979def27c6d6ea0e7bab7b1042658.documentation.amalga.health becomes _e71979def27c6d6ea0e7bab7b1042658.documentation.
  • Remove a trailing dot if Scroll Sites shows one.

Use these exact Squarespace values. Do not type the full domain in the Name field, and do not edit any existing Microsoft 365, Atlassian, DMARC, Google, or autodiscover records.

Success: both CNAME records are saved, and existing business-critical DNS records are unchanged.

5

Check CAA and DNS propagation

Run these lookups:

dig +short CAA amalga.health
dig +short CAA documentation.amalga.health
dig +short CNAME documentation.amalga.health
dig +short CNAME _e71979def27c6d6ea0e7bab7b1042658.documentation.amalga.health
  • No CAA result usually means no CAA restriction.
  • A restrictive CAA result must allow AWS Certificate Manager.
  • Use the actual generated certificate record name, not the placeholder above.

Stop rule: no Active custom domain in Scroll Sites means no production SAML cutover tomorrow.

6

Create or verify the Entra access group

Create security group: SG-ScrollSites-Documentation-Users

Description:

Controls access to the Scroll Sites product documentation site at documentation.amalga.health. Contains approved internal users and B2B guest users only.

Add direct members:

  • One assigned internal test user.
  • One assigned B2B guest test user.

Do not rely on nested groups.

Success: assigned users are direct members, and the unassigned test user is not a member.

7

Create or verify the Entra Enterprise Application

Open:

Microsoft Entra ID
  → Enterprise applications
  → New application
  → Create your own application

Create non-gallery app: Scroll Sites - Documentation

  • Set Assignment required = Yes.
  • Assign only SG-ScrollSites-Documentation-Users.
  • Do not assign individual users directly unless it is a documented emergency exception.

Success: only the access group is assigned and there are no unintended direct user assignments.

8

Prepare B2B guest access

Open:

Microsoft Entra ID
  → Users
  → New user
  → Invite external user
  • Invite one known customer test user.
  • Add that guest user to SG-ScrollSites-Documentation-Users.
  • Ask the guest to redeem the invitation before cutover if possible.

Beginner note: guest UPNs can contain #EXT#, so validate the SAML email claim with the guest account during testing.

9

Prepare Conditional Access MFA

Create policy: CA - Scroll Sites Documentation - Require MFA

UsersSG-ScrollSites-Documentation-Users
Target resourceScroll Sites - Documentation
GrantRequire multifactor authentication
ExclusionsEmergency or break-glass admin accounts
Initial stateReport-only

Do not turn this policy On until SAML assigned-user and guest-user tests pass.

SAML integration step-by-step

Entra SAML is created. Finish Scroll Sites metadata, assignment, and testing next.

This section now reflects the current state from Entra: the non-gallery Enterprise Application exists, SAML is selected, and the Basic SAML Configuration has been saved.

Do not turn on MFA or remove token access yet. First paste the Entra metadata into Scroll Sites, publish the SAML access mode, and pass the assigned-user, guest-user, and unassigned-user tests.

1

Current Entra setup completed

Confirmed from the screenshots:

  • Enterprise Application was created as Scroll Sites - Documentation.
  • Single sign-on method is SAML.
  • Basic SAML Configuration has been saved.
  • SAML certificate is Active.
  • Federation Metadata XML is available for download.

Current state: Entra is staged. The remaining work is mostly in Scroll Sites plus access testing.

2

Verify the saved Basic SAML values

In Entra, confirm these values remain exactly as saved:

Identifier / Entity IDhttps://documentation.amalga.health/saml-dPeL7Ew-Eps
Reply URL / ACS URLhttps://documentation.amalga.health/__auth/saml/response?client_name=saml-dPeL7Ew-Eps
Sign on URLhttps://documentation.amalga.health/
Relay StateBlank.
Logout URLBlank unless Scroll Sites provides one later.

Success: Entra now knows where to send the SAML response for this Scroll Sites domain.

3

Confirm attributes and claims

The screenshots show these default claims are present:

givennameuser.givenname
surnameuser.surname
emailaddressuser.mail
nameuser.userprincipalname
Unique User Identifieruser.userprincipalname

Guest-user note: B2B guest UPNs can contain #EXT#, so validate the email behavior with the assigned guest test user before calling this complete.

4

Download the Entra metadata XML

Open:

Microsoft Entra ID
  → Enterprise applications
  → Scroll Sites - Documentation
  → Single sign-on
  → SAML
  → SAML Certificates
  → Federation Metadata XML
  → Download

Then: open the downloaded XML file locally and copy the XML contents from the file.

Use the downloaded Federation Metadata XML file. Do not copy from a browser-rendered XML view if it omits parts of the file.

5

Configure SAML in Scroll Sites with IdP metadata XML

  1. Log into Confluence as an admin who has access to Scroll Sites.
  2. Go to Apps → Scroll Sites.
  3. In the left sidebar, click Domains & Security.
  4. Click on your domain: documentation.amalga.health.
  5. Under Site access, you will see the current setting is Protected: Token access.
  6. Click the button Set up single sign-on.
  7. On the SAML setup screen, look for the field labeled Paste IdP metadata XML.
  8. Open the Federation Metadata XML file you downloaded from Microsoft Entra ID.
  9. Copy the entire content of the XML file and paste it into the field in Scroll Sites.
  10. Click the Set up button.
  11. After it processes successfully, change the access method from Protected: Token access to Protected: Single sign-on.
  12. Click Confirm.
  13. Finally, click Publish changes.

Success: Scroll Sites is now configured for SAML single sign-on with Microsoft Entra ID.

Do not delete the old token yet. Keep rollback available until all access tests pass.

6

Assign the access group in Entra

Confirm before testing:

  • Assignment required = Yes for the Enterprise Application.
  • SG-ScrollSites-Documentation-Users is assigned to the app.
  • Assigned internal test user is in the group.
  • Assigned B2B guest test user is in the group.
  • Unassigned internal test user is not in the group.

Do not assign broad groups like All Users. Keep access scoped to the Scroll Sites documentation group.

7

Run access tests before tightening controls

  • Assigned internal user should authenticate and load documentation.
  • Assigned B2B guest user should authenticate and load documentation.
  • Unassigned internal user should be denied.
  • Direct article URL should require SAML before content loads.
  • Entra sign-in logs should show success and denial results.

Only after these tests pass should you turn Conditional Access MFA On and remove the old token.

Cutover runbook

Use this only after all gates are green.

This is the production cutover path. It is not the from-zero agenda.

Confirm readiness

  1. Confirm Scroll Sites shows documentation.amalga.health as Active.
  2. Run dig +short CNAME documentation.amalga.health.
  3. Confirm Entra app, group, test users, break-glass exclusion, and Report-only MFA policy.

Connect the custom domain to the site

Apps → Scroll Sites → My Sites
→ Select product documentation site
→ Site Settings → Site URL
→ Connect custom domain
→ Select documentation.amalga.health
→ Publish / Save changes

Test https://documentation.amalga.health/ in a private browser. Do not change access mode yet.

Configure SAML in Scroll Sites with IdP metadata XML

  1. Complete Entra side first (Basic SAML Configuration + download Federation Metadata XML from the Enterprise App).
  2. In Scroll Sites: Log into Confluence → Apps → Scroll Sites → left sidebar Domains & Security → click documentation.amalga.health.
  3. Under Site access (currently Protected: Token access), click Set up single sign-on.
  4. On the SAML screen, paste the entire contents of the downloaded Entra Federation Metadata XML into the Paste IdP metadata XML field.
  5. Click Set up.
  6. After success, change access method to Protected: Single sign-on → Confirm → Publish changes.

See the detailed steps in the SAML Integration section above for the full Scroll Sites sequence.

Lock down assignment

  1. Confirm Assignment required = Yes.
  2. Confirm only SG-ScrollSites-Documentation-Users is assigned.
  3. Confirm assigned internal and assigned guest users are in the group.
  4. Confirm unassigned test user is not in the group.
  5. Remove undocumented direct user assignments.

Run access tests

  1. Assigned internal user succeeds.
  2. Assigned B2B guest user succeeds.
  3. Unassigned internal user is denied.
  4. Direct article URL requires SAML before content loads.
  5. Entra sign-in logs show success, denial, and Conditional Access result.

Turn MFA On

Only after assigned internal and guest tests pass:

Conditional Access
→ CA - Scroll Sites Documentation - Require MFA
→ State: On
→ Save

Re-test assigned internal and assigned guest users. Keep break-glass exclusion.

Remove token access

Only after SAML, group assignment, guest access, negative access, and MFA tests all pass:

Scroll Sites
→ Domains & Security
→ documentation.amalga.health
→ Site access
→ Manage Token
→ Delete old token
→ Confirm
→ Publish changes

Verify old token URL pattern fails. Do not paste the actual token into notes.

Record final evidence

Capture the evidence checklist below before calling the cutover complete.

Access tests

Do not test with a Global Administrator account.

Assigned internalRedirects to Entra, authenticates, documentation loads.
Assigned B2B guestGuest flow works, authenticates, documentation loads.
Unassigned internalAccess denied; no documentation content shown.
Direct article URLSAML required before content loads.
Entra logsSuccess and denial are visible; Conditional Access result appears.

Rollback

Rollback if access is wrong in either direction.

SAML fails before access mode changes

Leave existing access unchanged, keep token, keep MFA Report-only, fix SAML offline.

SAML enabled but users cannot access

Revert Scroll Sites to previous working access mode and set MFA policy to Report-only or Off.

DNS or domain fails

Leave existing records untouched. Remove only wrong new Scroll Sites CNAMEs, restart the wizard, and retry.

Final evidence

Capture these before calling the work complete.