SAML Configuration for Azure AD
Security Assertion Markup Language (SAML) is a standard for exchanging authentication and authorization data between parties. This guide will help you configure SAML SSO between your application and Azure AD.
📥 Download Service Provider Metadata
Click the "Metadata" button in the SSO configuration modal to download your application's SAML metadata file. This file contains all the necessary configuration details for Azure AD.
Step 1: Register Your Application in Azure AD
1
Access Azure Portal
Sign in to the Azure Portal with your Azure AD administrator account.
2
Navigate to Azure Active Directory
Go to Azure Active Directory → Enterprise applications → New application
3
Create New Application
Click "Create your own application" and select "Integrate any other application you don't find in the gallery (Non-gallery)"
4
Configure Basic Information
Enter the following details:
- Name: Your Application Name
- Description: SSO integration for your application
Step 2: Configure SAML Settings
5
Set Up Single Sign-on
In your application, go to Manage → Single sign-on → SAML
6
Configure Basic SAML Configuration
Click "Edit" in the Basic SAML Configuration section and enter:
Identifier (Entity ID)
https://yourdomain.com/saml/metadata
Reply URL (Assertion Consumer Service URL)
https://yourdomain.com/saml/acs
Sign on URL (Optional)
https://yourdomain.com/login
Step 3: Configure User Attributes
7
Set Up User Attributes
In the User Attributes & Claims section, configure the following attribute mappings:
User Principal Name → user.userprincipalname
Email Address → user.mail
Display Name → user.displayname
Given Name → user.givenname
Surname → user.surname
Unique User Identifier → user.objectid
Step 4: Download Federation Metadata
8
Download Azure AD Metadata
In the SAML Signing Certificate section, click "Download" next to "Federation Metadata XML" to download the Azure AD metadata file.
9
Note Configuration Values
From the downloaded metadata, note the following values:
- Entity ID: Usually https://sts.windows.net/{tenant-id}/
- Single Sign-On URL: https://login.microsoftonline.com/{tenant-id}/saml2
- Single Logout URL: https://login.microsoftonline.com/{tenant-id}/saml2
- X.509 Certificate: The certificate from the metadata file
Step 5: Configure Your Application
10
Enter Azure AD Configuration
In your application's SSO configuration, enter the following details:
Identity Provider Settings
Entity ID: https://sts.windows.net/{your-tenant-id}/
Single Sign-On URL: https://login.microsoftonline.com/{your-tenant-id}/saml2
Single Logout URL: https://login.microsoftonline.com/{your-tenant-id}/saml2
X.509 Certificate: [Paste the certificate from the metadata file]
Step 6: Assign Users
11
Assign Users to Application
Go to Users and groups → Add user/group and assign the users who should have access to your application.
Step 7: Test Configuration
12
Test SAML SSO
Use the "Test this application" feature in Azure AD to test the SAML configuration.
Important: Make sure to test the configuration with a non-admin account first to ensure proper user provisioning and attribute mapping.
OAuth2 Configuration for Azure AD
OAuth2 is an authorization framework that enables applications to obtain limited access to user accounts. This guide will help you configure OAuth2 integration with Azure AD.
Step 1: Register Your Application in Azure AD
1
Access Azure Portal
Sign in to the Azure Portal with your Azure AD administrator account.
2
Navigate to App Registrations
Go to Azure Active Directory → App registrations → New registration
3
Register New Application
Enter the following details:
- Name: Your Application Name
- Supported account types: Choose based on your requirements
- Redirect URI: https://yourdomain.com/oauth/callback
Step 2: Configure Authentication
4
Set Up Authentication
Go to Authentication and configure:
- Platform configurations: Add Web platform
- Redirect URIs: https://yourdomain.com/oauth/callback
- Implicit grant and hybrid flows: Enable ID tokens
Step 3: Configure API Permissions
5
Add API Permissions
Go to API permissions and add the following permissions:
- Microsoft Graph: User.Read (delegated)
- Microsoft Graph: email (delegated)
- Microsoft Graph: profile (delegated)
- Microsoft Graph: openid (delegated)
Step 4: Generate Client Secret
6
Create Client Secret
Go to Certificates & secrets → New client secret and create a new secret. Important: Copy the secret value immediately as it won't be shown again.
Step 5: Note Configuration Values
7
Get Application Details
From the Overview page, note the following values:
- Application (client) ID: Your OAuth2 Client ID
- Directory (tenant) ID: Your Azure AD Tenant ID
- Client Secret: The secret you created in step 6
Step 6: Configure Your Application
8
Enter OAuth2 Configuration
In your application's SSO configuration, enter the following details:
OAuth2 Settings
Client ID: {your-application-client-id}
Client Secret: {your-client-secret}
Authorization Endpoint: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
Token Endpoint: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
User Info Endpoint: https://graph.microsoft.com/oidc/userinfo
Redirect URI: https://yourdomain.com/oauth/callback
Scope: openid email profile
Step 7: Test Configuration
9
Test OAuth2 Flow
Test the OAuth2 configuration by attempting to sign in with an Azure AD account.
OAuth2 Benefits:
- Modern, secure authorization protocol
- Better user experience with automatic token refresh
- Granular permission control
- Support for mobile and web applications
If you encounter any issues during configuration, please contact our support team with the following information:
© 2024 Your Company. All rights reserved. | This document is confidential and intended for authorized users only.