diff --git a/lib/management/sso.test.ts b/lib/management/sso.test.ts
index 9a24d5625..8a10d8bd0 100644
--- a/lib/management/sso.test.ts
+++ b/lib/management/sso.test.ts
@@ -409,6 +409,7 @@ describe('Management SSO', () => {
         't1',
         {
           idpMetadataUrl: 'https://metadata.com',
+          entityId: 'https://idp.example.com/entity',
           attributeMapping: { name: 'IDP_NAME', email: 'IDP_MAIL' },
           spACSUrl: 'https://spacs.url',
           spEntityId: 'spentityid',
@@ -422,6 +423,7 @@ describe('Management SSO', () => {
         tenantId: 't1',
         settings: {
           idpMetadataUrl: 'https://metadata.com',
+          entityId: 'https://idp.example.com/entity',
           attributeMapping: { name: 'IDP_NAME', email: 'IDP_MAIL' },
           spACSUrl: 'https://spacs.url',
           spEntityId: 'spentityid',
diff --git a/lib/management/types.ts b/lib/management/types.ts
index 9d7c0cee9..b623dbc4b 100644
--- a/lib/management/types.ts
+++ b/lib/management/types.ts
@@ -619,6 +619,8 @@ export type SSOSAMLSettings = {
 
 export type SSOSAMLByMetadataSettings = {
   idpMetadataUrl: string;
+  /** IdP entity ID - set so IdP-initiated login can resolve the tenant by the SAML response issuer */
+  entityId?: string;
   roleMappings?: RoleMappings;
   attributeMapping?: AttributeMapping;
   defaultSSORoles?: string[];