Configuring Azure SAML is a crucial step in integrating your Azure Active Directory (Azure AD) with your on-premises applications or cloud services that support the Security Assertion Markup Language (SAML) 2.0 protocol.
To begin, you need to register your application in the Azure portal and copy the Application ID and Directory ID from the Azure portal.
The Identity Provider (IdP) endpoint is used to issue SAML assertions to the service provider, and in Azure, this is typically done through the Azure AD application's configuration.
The Azure AD SAML configuration involves creating a new Enterprise Application, which will serve as the IdP for your organization.
Setting Up SSO
To set up Single Sign-On (SSO) with Azure AD, you'll need to log in to the Azure Portal and search for Active Directory.
Select Groups and create a new group, such as Hyperglance Admins.
The application name must be given and added in the Enterprise applications section.
For SAML, select the SAML option from the Single sign-on page.
On your VM, generate Service Provider (SP) metadata by running the mellon_create_metadata.sh script.
The IP address or DNS name used here must be the one that your browser would use to reach the Hyperglance VM.
After uploading the sp.xml file to the Azure portal, the Entity ID and Reply URL should be populated.
Replace the empty idp.xml file on the VM with the Federation Metadata XML downloaded from the Sign sign-on page in the Azure portal.
Set the Source to Attribute and type in HyperglanceUser;HyperglanceAdmin as the Value in the claim conditions.
Select users and/or groups that you will allow to access the Hyperglance application.
To enable SAML on the Hyperglance VM, edit the config.env file and set the SAML_ENABLED flag to true.
Azure will suggest you test your new SSO configuration.
Microsoft Entra Protocol Requirements
Microsoft Entra ID can be configured to work with identity providers that use the SAML 2.0 SP Lite profile with specific requirements.
You must ensure that your SAML 2.0 identity provider output messages are as similar as possible to the provided sample traces. This will help ensure a smooth federated login process.
The Microsoft Entra metadata can be downloaded from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml or https://nexus.partner.microsoftonline-p.cn/federationmetadata/saml20/federationmetadata.xml for customers in China.
To improve security, ensure to use a more secure algorithm like SHA-256 instead of SHA-1.
Microsoft Entra Protocol Requirements
To federate with Microsoft Entra ID, your SAML 2.0 identity provider must implement specific protocol and message formatting requirements.
You should ensure your SAML 2.0 identity provider output messages are as similar as possible to the provided sample traces. This will help ensure a smooth integration with Microsoft Entra ID.
To achieve interoperability with Microsoft Entra ID, you can use the SAML 2.0 SP Lite profile with specific requirements. SHA-1 algorithm is deprecated, so ensure to use a more secure algorithm like SHA-256.
You must enable communication between your SAML 2.0 identity provider and Microsoft Entra ID by setting the relying party ID to the same as the entityID from the Microsoft Entra metadata.
To configure a domain in your Microsoft Entra Directory for federation, you need to follow these steps:
- Connect to your Microsoft Entra Directory as a tenant administrator.
- Configure your desired Microsoft 365 domain to use federation with SAML 2.0.
- Obtain the signing certificate base64 encoded string from your IDP metadata file.
Verify the clock on your SAML 2.0 identity provider server is synchronized to an accurate time source, as an inaccurate clock time can cause federated logins to fail.
Add Entra Metadata
To add Entra metadata, you'll need to import the latest metadata from Microsoft Entra ID. This can be done by accessing the federationmetadata/saml20/federationmetadata.xml URL.
You'll find the metadata at https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml. It's recommended to always import the latest metadata when configuring your SAML 2.0 identity provider.
If you're using a SAML 2.0 identity provider, you'll need to set the relying party ID to the same as the entityID from the Microsoft Entra metadata. This will enable communication between your identity provider and Microsoft Entra ID.
Make sure your SAML 2.0 identity provider server's clock is synchronized to an accurate time source. An inaccurate clock time can cause federated logins to fail.
Here's a summary of the steps to add Entra metadata:
- Import the latest Microsoft Entra metadata from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
- Set the relying party ID to the same as the entityID from the Microsoft Entra metadata
- Synchronize your SAML 2.0 identity provider server's clock to an accurate time source
Required Attributes and Configuration
To get Azure SAML up and running, you need to focus on the required attributes and configuration.
Microsoft Entra ID requires a specific NameID format URI for SAML 2.0, which is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
The SAML 2.0 protocol requires a secure algorithm, so make sure to use SHA-256 instead of SHA-1.
You'll need to configure your SAML 2.0 compliant identity provider to federate with Microsoft Entra ID, which involves setting up a domain in your Microsoft Entra Directory for federation.
Here's a list of the required attributes for SAML 2.0:
You can obtain the signing certificate base64 encoded string from your IDP metadata file.
Make sure to use the correct Issuer URI, which must match the specified URI setting configured per domain.
You'll also need to configure Azure AD claim rules, which involves mapping LDAP attributes to outgoing claim types. Here's a list of common attributes and claim mappings:
Remember to double-check your entries, as the mapping is case sensitive.
Configure Identity Provider
To configure your identity provider, you'll need to enable communication between your SAML 2.0 identity provider and Microsoft Entra ID. This configuration is dependent on your specific identity provider, so be sure to refer to its documentation.
You'll need to set the relying party ID to the same as the entity ID from the Microsoft Entra metadata. To do this, download and import the latest Microsoft Entra metadata from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml.
Verify that the clock on your SAML 2.0 identity provider server is synchronized to an accurate time source. An inaccurate clock time can cause federated logins to fail.
To set up a trust between your SAML identity provider and Microsoft Entra ID, you'll need to either add or convert a domain to a single sign-on domain. This will set up a trust between your SAML 2.0 identity provider and Microsoft Entra ID.
Here are the common attributes and claim mappings you should verify with your specific Azure AD configuration:
You should also import the IdP metadata file into your identity provider, such as SugarIdentity, to complete the configuration.
Frequently Asked Questions
What is the difference between SAML and SSO?
SAML is the standard that enables Single Sign-On (SSO), allowing users to log in with a single ID and password across multiple systems. In other words, SAML is the protocol that makes SSO possible.
What is the difference between SAML and LDAP in Azure?
SAML is ideal for secure access across multiple cloud or web applications, while LDAP is best for managing access within an internal network based on user roles. Choose the right one to streamline your authentication process.
What is SAML in Active Directory?
SAML (Security Assertion Markup Language) is an open standard used in Active Directory to simplify authentication between entities and web applications, based on the XML format. It enables standardized communication, making it easier to manage user access and identity verification.
Sources
- https://support.hyperglance.com/knowledge/setup-sso-with-saml-for-azure-ad
- https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp
- https://help.tableau.com/current/server/en-us/saml_config_azure_server.htm
- https://support.sugarcrm.com/knowledge_base/password_management/saml_authentication/configuring_sso_with_azure_using_saml/
- https://kasmweb.com/docs/latest/guide/saml/azure.html
Featured Images: pexels.com