If you have been in the SaaS industry in recent years, you are surely familiar with Azure Active Directory (Azure AD). This popular access management service can work seamlessly with Security Assertion Markup Language (SAML), a commonly-used protocol. This detailed guide will show you how these two work in tandem.
What Is Azure SAML?
Security Assertion Markup Language (SAML) is an open standard for transferring authentication and authorization information between identity providers and service providers. Technically, it is an XML-based language that enables security assertions, which are statements that service providers use to make access control decisions.
Azure Active Directory (Azure AD) is a cloud-based identity and access management service. The service gives employees access to thousands of external resources such as the Azure portal, Microsoft 365, and other SaaS applications. Azure AD also integrates with on-premises identity management solutions like Microsoft Active Directory, enabling access to applications on corporate networks and intranets, and enabling the use of the same credentials for on-premise and cloud-based systems.
How Azure AD Uses the SAML Protocol
Azure AD enables single sign-on (SSO) using a 7-step process, illustrated below. The cloud service (acting as the service provider) passes the AuthnRequest element to Azure AD (acting as the identity provider) using an HTTP redirect binding. Azure AD then publishes the response element to the cloud service using an HTTP POST binding. Azure AD supports redirect (HTTP GET) binding instead of HTTP POST binding.
Azure AD exposes a common, tenant-independent SSO endpoint. Each URL represents an addressable location. The SSO endpoint is not just an identifier, allowing you to view the endpoint and read the metadata.
How to integrate Azure AD SAML with your applications
Azure AD supports single sign-on profiles for SAML 2.0 web browsers. For single sign-on to work, you must explicitly register your application’s logout URL with Azure AD when you register your application. You can set this value by default if your app has been added to the Azure Applications Gallery. Otherwise, the person who added the app to your Azure AD tenant must determine and set the value. Azure AD redirects users via the LogoutURL after they log out.
Enabling SSO for applications
The Microsoft identity platform employs protocols like SAML 2.0 to enable a single sign-on (SSO) experience for the users of an application. The SAML protocol enables an identity provider (i.e., Microsoft Identity Platform) and a service provider (i.e., the application) to exchange data. When developers register an application with Azure AD, they register federation-related data with Azure AD. This information includes the application’s redirect URI and metadata URI.
The Microsoft Identity Platform uses the cloud service’s metadata URI to obtain the signing key and logout URI. To register an app, in the Azure Portal, navigate to Azure Active Directory > App registrations > Manage> Authentication.
Quick Tutorial: Enabling SAML SSO in Azure AD
Application management in Azure AD involves creating, configuring, managing, and monitoring cloud-based applications. Assigned users can securely access applications registered in an Azure AD tenant.
Add an Application
- An Azure AD user account.
- A Global Administrator role, a Cloud Application Administrator role, or an Application Administrator role.
Here is how you can add an enterprise application to an Azure AD tenant:
- Open the Azure Active Directory Admin Center.
- Log in to your account with a role authorized to add an application (listed in the prerequisites).
- Go to the left menu, and choose Enterprise applications. It opens the All applications pane, displaying a list of the apps in the Azure AD tenant.
- In the Enterprise applications pane, choose the New application option. It opens the Browse Azure AD Gallery pane, displaying tiles for on-premises applications, featured applications, and cloud platforms.
- The Featured applications section displays an icon that indicates whether the listed applications support federated single sign-on (SSO) and provisioning. Search for and choose an application. The image below shows what it looks like when choosing the Azure AD SAML Toolkit application.
- Enter a descriptive name for the application’s instance.
- Choose Create.
Enable SSO for an Application
- Go to the left menu, and choose Enterprise applications. It opens the All applications pane, displaying a list of all your applications in the Azure AD tenant. Search for and choose an application, such as Azure AD SAML Toolkit 1.
- Go to the Manage section in the left menu, and choose Single sign-on to open and edit this pane.
- Choose SAML. It opens the SSO configuration page.
- The configuration process for SAML-based SSO depends on the selected application. You can find information about configuring enterprise applications by using the link in the gallery.
After SSO is configured for the application, users can use their Azure AD tenant credentials to sign in to the application.
Configure Azure AD SSO
- Log in to the Azure portal.
- Go to the Manage section on the Azure AD SAML Toolkit page to integrate the application. Choose the single sign-on option.
- Go to Select a single sign-on method and choose SAML.
- Go to Set up single sign-on with SAML and select the edit icon next to Basic SAML Configuration. It enables you to edit the settings.
- Go to Basic SAML Configuration and enter values for these fields:
a. Sign-on URL—add this URL to the text box: https://samltoolkit.azurewebsites.net/
b. Reply URL—add this URL to the text box: https://samltoolkit.azurewebsites.net/SAML/Consume
- Go to SAML Signing Certificate in the single sign-on with SAML section. Find Certificate (Raw) and choose Download to download and save the certificate on your computer.
- Go to Set up Azure AD SAML Toolkit and copy the relevant URL(s) according to your requirement.
Test Your SSO Configuration
Here is how you can test the Azure AD SSO configuration:
- Open the Azure portal.
- Find and choose the Test application option. It will redirect you to the SAML Toolkit sign-on URL page.
- On the SAML Toolkit sign-on URL page, you can trigger the login flow directly.
- Go to the Microsoft Access Panel, and select the SAML Toolkit tile. You should be automatically logged into your configured SAML Toolkit.
SAML with Frontegg
Frontegg is a self-served management platform that allows SaaS companies to implement powerful authentication flows with just a few clicks. Amongst the various options, you can also find Security Assertion Markup Language (SAML), which you can implement via multiple identity providers. This saves a lot of development time and allows your teams to focus on core tech features.