Azure AD SSO SAML Example: A Step-by-Step Guide

To set up Azure AD SSO using SAML, you'll need to create a new Enterprise Application in the Azure portal. This application will serve as a bridge between your Azure AD and the external application you want to integrate.

The first step is to navigate to the Azure portal and search for "Enterprise Applications." From there, select "New application" to begin the setup process.

In the Enterprise Applications blade, select "Non-gallery application" and enter the name of the external application you want to integrate.

To configure Azure AD SSO, you'll need to create an Enterprise Application in Azure Active Directory. This involves selecting "Integrate any other application you don't find in the gallery (Non-gallery)" when creating the application. Once created, you'll need to set up single sign-on by selecting SAML as the Single Sign On method.

You'll need to enter the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) into the Azure SSO configuration. To get these values, you can create an Azure AD SAML Integration in Morpheus first. This will provide you with the Entity ID and SP ACS URL, which you can then copy and use in Azure SSO configuration.

Here's a step-by-step guide to creating an Azure AD SAML Integration in Morpheus:

1. Log in to Morpheus.

2. Navigate to Administration > Tenants.

3. Click a tenant hyperlink.

4. Click the IDENTITY SOURCES button in the Tenant detail page.

5. Click the + ADD IDENTITY SOURCE button.

6. Select AzureADSAMLSSO from the TYPE dropdown.

7. Add.

8. This is the minimum information needed for now, which will let us generate the details needed from Morpheus. We’ll return to this configuration page later to enter more information.

9. Click the SAVE CHANGES button.

Upon saving, the Entity ID (Identifier(Entity ID)) and SP ACS URL (ReplyURL(AssertionConsumerServiceURL)) will be provided in the Identity Source list view. You can then copy these values and use them in Azure SSO configuration.

To enable SSO for applications, you'll need to register the application with Azure AD and provide federation-related data, including the application's redirect URI and metadata URI.

Azure AD uses a 7-step process to enable single sign-on (SSO) using the SAML protocol.

The process begins with the cloud service passing the AuthnRequest element to Azure AD using an HTTP redirect binding.

Azure AD exposes a common, tenant-independent SSO endpoint, which is not just an identifier, but an addressable location.

Here are the required parameters in an AuthnRequest element:

The Issuer element in an AuthnRequest must exactly match one of the ServicePrincipalNames in the cloud service in Microsoft Entra ID, typically set to the App ID URI specified during application registration.

The Assertion element of the response contains the ID, IssueInstant, and Version, as well as the NameID element, which represents the authenticated user.

To configure Morpheus integration, you'll need to create an Azure AD SAML Integration in Morpheus. This involves adding an identity source, which will provide the necessary information to complete the Azure SSO configuration.

First, log in to Morpheus and navigate to Administration > Tenants. Click on a tenant hyperlink, then click the IDENTITY SOURCES button in the Tenant detail page. From there, click the + ADD IDENTITY SOURCE button and select AzureADSAMLSSO from the TYPE dropdown.

Setting SAML REQUEST to “No Signature” and SAML RESPONSE to “Do Not Validate Assertion Signature” is allowed but not recommended for security reasons.

Upon saving, the Entity ID (Identifier(EntityID)) and SP ACS URL (ReplyURL(AssertionConsumerServiceURL)) will be provided in the Identity Source list view. Copy these for use in Azure SSO configuration.

To complete the integration, you'll need to configure the Azure AD SAML Integration in Morpheus. This involves editing the identity source and setting the SAMLREQUEST field to SelfSigned. You'll also need to paste the value copied from the FederationMetadataXML file into the PublicKey(Optional) box, below the SAMLRESPONSE dropdown.

Here's a step-by-step guide to configuring the Azure AD SAML Integration in Morpheus:

Once you've completed these steps, you'll be able to log in to Morpheus using Azure AD SAML. To do this, navigate to the Morpheus URL and click the button to allow sign-in using Azure AD SAML.

Single sign-on (SSO) is a process that allows users to access multiple applications with a single set of login credentials. In the context of Azure AD SSO, SAML (Security Assertion Markup Language) is used to enable SSO.

To request a user authentication, cloud services send an AuthnRequest element to Microsoft Entra ID, which includes parameters such as ID, Version, IssueInstant, AssertionConsumerServiceURL, ForceAuthn, and IsPassive.

The following parameters are required for an AuthnRequest: ID, Version, and IssueInstant. The ID parameter should not begin with a number and must be prepended with a string like "ID" to the string representation of a GUID. The Version parameter should be set to 2.0. The IssueInstant parameter is a DateTime string with a UTC value and round-trip format ("o").

The following parameters are optional for an AuthnRequest: AssertionConsumerServiceURL, ForceAuthn, and IsPassive. The AssertionConsumerServiceURL parameter must match the RedirectUri of the cloud service in Microsoft Entra ID. The ForceAuthn parameter is a boolean value that forces the user to reauthenticate, even if they have a valid session with Microsoft Entra ID. The IsPassive parameter is a boolean value that specifies whether Microsoft Entra ID should authenticate the user silently, without user interaction, using the session cookie if one exists.

Here is a list of parameters that are ignored by Microsoft Entra ID in an AuthnRequest:

The RequestedAuthnContext element is optional in AuthnRequest elements sent to Microsoft Entra ID.

Microsoft Entra ID supports AuthnContextClassRef values such as urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

This means you can specify the desired authentication methods for a single sign-on process.

The Audience value is a crucial piece of information in Single Sign-On (SSO) authentication. It's a URI that identifies the intended audience, and it must match one of the service principal names representing the cloud service in Microsoft Entra ID.

The Audience value is set by Microsoft Entra ID, based on the value of the Issuer element of the AuthnRequest that initiated the sign-on. To evaluate the Audience value, you need to use the value of the App ID URI specified during application registration.

In Microsoft AZURE AD, you can find the App ID URI in the "All settings" under "TOKEN VALIDATOR PARAMETERS". However, keep in mind that if the value of the Issuer element is not a URI value, the Audience value in the response will be the Issuer value prefixed with "spn:".

Here's a quick rundown of the steps to configure SAML SSO application:

To test your Azure AD SSO configuration, you'll need to follow these steps.

First, open the Azure portal. This is where you'll find the tools you need to test your configuration.

Next, find and choose the Test application option. This will redirect you to the SAML Toolkit sign-on URL page.

On the SAML Toolkit sign-on URL page, you can trigger the login flow directly. This will test whether your configuration is working correctly.

To complete the test, go to the Microsoft Access Panel, and select the SAML Toolkit tile. If your configuration is set up correctly, you should be automatically logged into your configured SAML Toolkit.

Here are the steps to test your Azure AD SSO configuration in a concise list:

By following these steps, you'll be able to test your Azure AD SSO configuration and ensure it's working correctly.