Scroll Sites Custom Domain + SAML SSO Setup

Live in production

Start here

Follow the steps below in order. Each step tells you what to do and when you are done.

Which situation are you in?

Brand-new setup

New domain or new Scroll Sites site.

Start at Step 1 →

New Entra app needed

You removed SSO in Scroll Sites or have a new domain.

See when to create a new app →

Add external users only

SSO already works; invite customers.

See external user steps →

Something broke

Login fails or access denied.

Jump to troubleshooting →

The full path (6 steps)

1DNS + Active domain 2Entra group + app 3Entra SAML config 4Paste XML in Scroll Sites 5Test access 6Finish (token + MFA)

Share this guide: https://scroll-sites-saml-meeting-guide.pages.dev/setup-guide.html

Track your progress

Checklist

Check items off as you go. Finish Step 5 before removing token access or turning MFA on.

0/11 complete — work through the steps below.

Step-by-step

Do these in order

Before you start: You need Squarespace DNS access, Scroll Sites admin, and Entra admin.

Step 1 of 6

Connect the custom domain (DNS)

In Scroll Sites: Domains & Security → Set up a custom domain → enter documentation.amalga.health.
Copy the two CNAME records Scroll Sites shows you.
In Squarespace: DNS → Custom records → add both CNAMEs exactly as shown.
Wait until Scroll Sites shows the domain as Active (can take up to an hour).

Done when Scroll Sites displays documentation.amalga.health with a green Active status.

Step 2 of 6

Create the Entra group and Enterprise Application

2a — Security group

Entra ID → Groups → New group.
Name: SG-ScrollSites-Documentation-Users (Security group).
Add direct members: one internal test user and one B2B guest test user.

2b — Enterprise Application

Entra ID → Enterprise applications → New application → Create your own application (not from gallery).
Name it e.g. Scroll Sites - Documentation.
Properties → set Assignment required? to Yes.
Users and groups → assign only SG-ScrollSites-Documentation-Users.
Single sign-on → select SAML.

Done when The app exists, Assignment required is Yes, and only your access group is assigned.

Step 3 of 6

Configure SAML in Entra

In Scroll Sites, open your domain and click Set up single sign-on — copy the Identifier and Reply URL shown there.
In Entra, open the app → Single sign-on → Edit Basic SAML Configuration.
Paste Identifier and Reply URL from Scroll Sites. Set Sign on URL to https://documentation.amalga.health/.
Save. Under SAML Signing Certificate: Sign SAML response and assertion, algorithm SHA-256.
Attributes & Claims: Unique User Identifier = user.mail. Add givenname, surname, emailaddress.
Download Federation Metadata XML (Single sign-on → SAML Certificates).

Done when Basic SAML is saved and you have the Federation Metadata XML file on your computer.

Step 4 of 6

Paste metadata in Scroll Sites and turn on SSO

Confluence → Apps → Scroll Sites → Domains & Security → click documentation.amalga.health.
Click Set up single sign-on.
Open the XML file in TextEdit (Plain Text) → Select all → Copy.
Paste into Paste IdP metadata XML → click Set up.
Change access to Protected: Single sign-on → Confirm → Publish changes.

Done when You see “Site access changed” and the domain shows Protected: Single sign-on.

Wait a few minutes after publish before testing.

Step 5 of 6

Test who can and cannot access

Use a private/incognito window for each test.

User in the access groupOpens documentation.amalga.health → Microsoft login → Help Center loads.

B2B guest in the groupSame as above. No Confluence license needed.

User NOT in the groupMicrosoft login → access denied (even if they are an Entra admin).

To test yourself: temporarily add your account to the group, test, then remove if desired.

Check Entra → Enterprise application → Sign-in logs for success and failure entries.

Done when Allowed users get in, blocked users do not, and sign-in logs match.

Step 6 of 6

Finish up (only after tests pass)

Remove old token access in Scroll Sites if you no longer need it.
Turn Conditional Access MFA from Report-only to On when ready.
Write down the final Entity ID and Reply URL for your records.

Done when Production access works via SSO only, and your security controls match policy.

Reference

Extra detail (open if you need it)

When do I need a new Enterprise Application?

New domain or new Scroll Sites siteYes — new app with new Identifier + Reply URL from Scroll Sites.

Removed SSO and set it up againYes — Scroll Sites creates new IDs; old Entra app will not match.

Only adding usersNo — add users to the existing group.

Certificate rotated in Entra onlyUsually no — re-download metadata and paste again in Scroll Sites.

How do external users access without a Confluence license?

Entra → Users → New user → Invite external user.
Add guest as a direct member of SG-ScrollSites-Documentation-Users.
Confirm the group is assigned to the Enterprise Application.
Guest opens the site and signs in with Microsoft — no Confluence seat required for viewing.

Authors and Confluence admins still need Confluence licenses. This applies to viewers of the public docs site only.

Warning: removing SSO in Scroll Sites

If you remove Single Sign-On and configure it again, Scroll Sites generates a new Entity ID and ACS URL. Your old Entra app and metadata will stop working until you update or recreate the app.

Avoid removing SSO unless necessary.

Example SAML values (may differ on your tenant)

Identifierhttps://documentation.amalga.health/saml-dPeL7Ew-Eps

Reply URLhttps://documentation.amalga.health/__auth/saml/response?client_name=saml-dPeL7Ew-Eps

Sign on URLhttps://documentation.amalga.health/

Always use the values from your Scroll Sites SSO screen — not these examples — if SSO was ever removed and re-added.

Help

Troubleshooting

Site loads without asking me to log in

Wait 5–10 minutes after publish. Test in incognito. Confirm access mode is Protected: Single sign-on and published.

Set up fails when I paste the XML

Copy the whole file from <?xml through </EntityDescriptor>. Use TextEdit, not Finder preview.

I log in but still cannot access

You are not in the access group or not assigned to the app. Entra admin ≠ automatic access.

External guest cannot access

Invitation redeemed? Guest in group? Group assigned to app? No Confluence license needed.

I removed SSO and everything broke

Create a new Enterprise Application with the new Identifier and Reply URL from Scroll Sites.

Full cutover runbook and rollback: meeting guide.