
Setting up Azure SAML can be a straightforward process if you know what to expect. The first step is to create a SAML application in the Azure portal.
You'll need to provide the Identity Provider (IdP) metadata URL, which is usually obtained from your IdP administrator. This URL will be used to configure the SAML connection.
Once you've created the SAML application, you'll need to configure the protocol settings, including the SAML protocol version and the encryption algorithm. This ensures a secure connection between your Azure AD and the IdP.
The next step is to configure the attribute mapping between your Azure AD and the IdP. This involves mapping the user attributes from your Azure AD to the IdP's attributes.
Curious to learn more? Check out: Azure Auth Json Website Azure Ad Authentication
Prerequisites
To set up Azure SAML, you need a Microsoft Entra user account, which can be created for free if you don't already have one. Having one of the required roles, such as Cloud Application Administrator or Application Administrator, is also necessary.
You'll also need to complete the steps in Quickstart: Create and assign a user account. This will get you started with the right permissions to configure SAML.
Here are the specific roles you'll need to have: Cloud Application Administrator, Application Administrator, or owner of the service principal. This will give you the necessary permissions to configure SAML.
To use the SAML protocol, you'll need a basic understanding of it and familiarity with the application's SAML implementation. This is crucial for setting up SAML correctly.
You'll also need a web application configured as a SAML application, which must be able to send SAML AuthN requests and receive, decode, and verify SAML responses from Azure AD B2C. This is known as the relying party application or service provider.
Your SAML application must have a publicly available SAML metadata endpoint or XML document. If you don't have one, you can use the SAML test application provided by Azure AD B2C for testing.
Make sure your endpoints comply with the Azure AD B2C security requirements, which include deprecating older TLS versions and ciphers. For more information, see Azure AD B2C TLS and cipher suite requirements.
Readers also liked: Azure Saml Setup
Azure SAML Setup Overview
To set up Azure SAML, you need to understand the basics of the process.
The first step is to set up SAML in Single Sign-On. This is a crucial part of the process, as it allows you to integrate Azure with your existing identity provider.
To set up SAML in Single Sign-On, you'll need to follow these steps: Set up SAML in Single Sign‑OnSet up SAML in Microsoft Entra IDSet up Claims Mapping
Organizations that use Azure AD B2C as their customer identity and access management solution have a slightly different setup process.
The process involves Azure AD B2C serving as an identity provider (IdP) to achieve single-sign-on (SSO) with SAML-based applications.
Here's a step-by-step breakdown of the process: The application creates a SAML AuthN request that's sent to the SAML sign-in endpoint for Azure AD B2C.The user can use an Azure AD B2C local account or any other federated identity provider (if configured) to authenticate.If the user signs in by using a federated identity provider, a token response is sent to Azure AD B2C.Azure AD B2C generates a SAML assertion and sends it to the application.
You might like: Azure Ad Sso Saml Example
App Registration
To create an app registration in Azure, sign in to the Azure portal and search for Azure Active Directory. Under Manage, select App registrations and choose New registration. Enter a name and select one of the Supported account types that best reflects your organization requirements.
You'll also need to enter the reply URL of your site under Redirect URI, selecting Web as the platform. This is crucial for validating the audience during token validation.
To expose an API, select Expose an API in the left side panel and add your site URL as the App ID URI. This will allow you to validate the audience during token validation.
Here are the key steps to register an app registration in Azure:
- Sign in to the Azure portal and search for Azure Active Directory.
- Under Manage, select App registrations and choose New registration.
- Enter a name and select one of the Supported account types.
- Enter the reply URL of your site under Redirect URI.
- Expose an API and add your site URL as the App ID URI.
By following these steps, you'll be able to create a successful app registration in Azure.
Configure Settings
To configure settings for Azure SAML setup, you'll need to add sign-in and reply URL values, and download a certificate. This involves editing the Basic SAML Configuration section on the Set up Single Sign-On with SAML pane.
Select Edit in the Basic SAML Configuration section to begin the configuration process. For Reply URL (Assertion Consumer Service URL), enter https://samltoolkit.azurewebsites.net/SAML/Consume. For Sign on URL, enter https://samltoolkit.azurewebsites.net/.
The Identifier (Entity ID) is typically a URL specific to the application you're integrating with. For the Microsoft Entra SAML Toolkit 1 application, the value is automatically generated once you input the Sign on URL and Reply URL values.
To configure SAML settings for the application, sign in with the credentials of the user account that you already assigned to the application, and select SAML Configuration at the upper-left corner of the page. Select Create in the middle of the page, and enter the values that you recorded earlier for Login URL, Microsoft Entra Identifier, and Logout URL.
You'll also need to upload the certificate that you previously downloaded. Select Choose file to upload the certificate, and then select Create. Copy the values of the SP Initiated Login URL and the Assertion Consumer Service (ACS) URL to be used later.
Here are the steps to update single sign-on values in your tenant:
- In the Microsoft Entra admin center, select Edit in the Basic SAML Configuration section on the Set up single sign-on pane.
- For Reply URL (Assertion Consumer Service URL), enter the Assertion Consumer Service (ACS) URL value that you previously recorded.
- For Sign on URL, enter the SP Initiated Login URL value that you previously recorded.
- Select Save.
Note that you can follow the same process to implement other types of user flows, such as sign-in, password reset, or profile editing flows.
Claims and Mappings
Claims and Mappings are crucial steps in setting up Azure SAML. To set up claims mapping, go to Azure Active Directory > Enterprise Applications, click on your app, and then click Single sign-on. You can also enable user attribute mappings by clicking Edit in the Attributes and Claims section.
Claims mapping allows you to pass group membership claims to the app by clicking Add a group claim. This is done by editing the attributes in the Attributes and Claims section. The Identifier (Entity ID) is typically a URL specific to the application you're integrating with.
Here's a brief overview of the claims and mappings process:
Claims Mapping
Claims mapping is an essential step in the claims and mappings process. It involves setting up a mapping between the attributes of a user and the claims that are sent to an application.
To set up claims mapping, you need to go to Azure Active Directory (Microsoft Entra ID) > Enterprise Applications. From there, click on your app and then click Single sign-on.

Claims mapping allows you to pass group membership claims to an app by clicking Add a group claim. This is done in the Attributes and Claims section, where you can edit the attributes and add the group claim.
Here are the steps to enable user attribute mappings:
- In the Attributes and Claims section, click Edit.
- Edit the attributes.
- Pass group membership claims to the app by clicking Add a group claim:
By following these steps, you can successfully set up claims mapping and enable user attribute mappings. This will help you to pass the necessary claims to the application, ensuring a smooth and secure user experience.
Microsoft Entra Setup
To set up Microsoft Entra, start by adding it as an identity provider for your site in Power Pages. Select Security > Identity providers and make sure External login is set to On in your site's general authentication settings.
If no identity providers appear, you'll need to add Microsoft Entra as a new provider. Select + New provider and choose Other as the login provider.
You'll then need to select SAML 2.0 as the protocol and enter a name for the provider, such as Microsoft Entra ID. This name will appear on the sign-in page as the text on the button that users see when they select their identity provider.
To set up SAML in Microsoft Entra ID, log in to Microsoft Entra ID as a Global Admin in the Microsoft Azure portal. From there, go to the Microsoft Entra ID tab and select Enterprise application.
Click New application and then Create your own application to add a new application. Enter a name and select Integrate any other application you don’t find in the gallery (Non-gallery).
Once your application is created, go to the application overview and click Set up single sign on > SAML. You'll need to upload the metadata file you downloaded earlier to complete the setup.
After setting up SAML in Microsoft Entra ID, you'll need to record the App Federation Metadata Url. This URL is crucial for setting up the SSO identity provider configurations.
Here's a summary of the steps to set up Microsoft Entra:
- Add Microsoft Entra as an identity provider in Power Pages
- Set up SAML in Microsoft Entra ID as a Global Admin
- Upload the metadata file to complete the SAML setup
- Record the App Federation Metadata Url
Active Directory Setup
To set up Active Directory, you'll need to create a new domain controller in Azure. This will involve installing the Active Directory Domain Services (AD DS) role on a virtual machine.
The AD DS role is a key component of Active Directory, allowing you to manage user accounts, groups, and other objects within your directory.
You'll also need to configure the DNS settings for your virtual machine, as Active Directory relies on DNS for name resolution.
In Azure, you can use the built-in Azure DNS service or configure a custom DNS server.
Once your domain controller is set up, you'll need to add users and groups to your Active Directory, which will involve creating new user objects and assigning them to relevant groups.
This process can be automated using Azure Active Directory (Azure AD) Connect, which allows you to synchronize your on-premises Active Directory with Azure AD.
Consider reading: Azure Public Dns
Unsupported Modality
If you're setting up Azure SAML, there are some SAML application scenarios that aren't supported.
The following SAML application scenarios are not supported via your own metadata endpoint:
- IdP-initiated sign-on, where the identity provider is not Azure AD B2C.
- Specifying a single sign-out URL.
- Using the POST binding for the sign-out URL.
- Not specifying a signing key to verify relying party requests.
- Not specifying a token encryption key in the application or service principal object.
These unsupported modalities can impact your Azure SAML setup, so it's essential to understand what's supported and what's not.
Featured Images: pexels.com


