diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go
index e54607b904f44..8c51f03747881 100644
--- a/tool/tctl/common/plugin/entraid.go
+++ b/tool/tctl/common/plugin/entraid.go
@@ -213,7 +213,7 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg
 	}
 
 	saml, err := types.NewSAMLConnector(inputs.entraID.authConnectorName, types.SAMLConnectorSpecV2{
-		AssertionConsumerService: proxyPublicAddr + "/v1/webapi/saml/acs/" + inputs.entraID.authConnectorName,
+		AssertionConsumerService: strings.TrimRight(proxyPublicAddr, "/") + "/v1/webapi/saml/acs/" + inputs.entraID.authConnectorName,
 		AllowIDPInitiated:        true,
 		// AttributesToRoles is required, but Entra ID does not have a default group (like Okta's "Everyone"),
 		// so we add a dummy claim that will never be fulfilled with the default configuration instead,