
Setting up Azure SAML SSO is a straightforward process that can be completed in a few steps.
To begin, you'll need to register your application in the Azure portal. This involves creating a new application registration, which will give you a client ID and client secret that you'll use later in the process.
You can find these values in the Azure portal under the "Azure Active Directory" section, specifically in the "App registrations" page.
The client ID is a unique identifier for your application, while the client secret is a password that you'll use to authenticate with Azure.
A unique perspective: Microsoft Entra vs Azure Ad
Setting Up SSO
To set up SSO with Azure Active Directory using SAML, you'll need to create a new application in the Azure portal. Log in to the Azure Portal and search for Active Directory, then select Groups and create a new group, such as Hyperglance Admins.
In the Azure AD Organisation management, select Enterprise applications and click New Application. Choose Single sign-on and select the SAML option. On the VM, generate Service Provider (SP) metadata by running a script, such as /usr/bin/mellon_create_metadata.sh.
You'll need to upload the sp.xml file from the VM to the Azure portal and replace the empty idp.xml file on the VM with the Federation Metadata XML downloaded from the Sign sign-on page in the Azure portal.
See what others are reading: What Is Windows Azure Active Directory
Setting Up Single Sign-On
Setting up Single Sign-On (SSO) is a crucial step in streamlining your organization's security and user experience. To begin, you'll need to log into the Azure portal using one of the roles listed in the prerequisites.
First, you'll need to create an application in the Azure portal. This can be done by going to Microsoft Entra ID, then selecting Enterprise applications, and searching for and selecting the application you want to use. For example, UiPath.
Once you've created an application, you'll need to configure Single sign-on (SSO). This can be done by selecting SAML to open the SSO configuration page. After the application has been configured, users can sign into it using their Microsoft Entra ID tenant credentials.
To configure SAML, you'll need to fill out the Entity ID and Assertion Consumer Service (ACS) URL fields based on the values provided in the SAML configuration settings in the Orchestrator portal. You can find these values in the Orchestrator portal's SAML configuration page.
Check this out: Atlassian Sso Azure B2c Configuration

Here are the steps to configure SAML:
After configuring SAML, you'll need to copy the App Federation Metadata Url and paste it into the Orchestrator portal's SAML Configuration page. You can then select Fetch data to have the system request user-related info from the identity provider.
In some cases, you may encounter issues when trying to set the Identifier (Entity ID) or Reply URL for Azure SAML SSO configuration. If this happens, you may need to check your permissions to ensure you have the maximum permissions for your organization.
Once you've completed the above steps, you'll be able to set up Single Sign-On for your application. This will allow users to sign in using their Microsoft Entra ID tenant credentials, streamlining your organization's security and user experience.
Take a look at this: Azure Ad B2c vs Entra Id
Scoping
Scoping is an optional element in AuthnRequest elements sent to Microsoft Entra ID.
The Scoping element includes a list of identity providers, which is a crucial aspect to consider when setting up SSO.
If you choose to include the Scoping element, make sure to leave out the ProxyCount attribute, as it's not supported.
You'll also want to exclude the IDPListOption and RequesterID elements, as they're not supported either.
This ensures that your setup is compatible with Microsoft Entra ID and avoids any potential issues.
By following these guidelines, you can set up a seamless SSO experience for your users.
SAML SSO Configuration
To set up SAML SSO with Azure AD, start by logging into the Azure portal and searching for Active Directory. From there, you'll need to configure groups that will be associated with Hyperglance Roles later on. Select Groups, click New Group, and name it Hyperglance Admins.
To configure the SAML SSO, return to the Azure AD Organisation management and select Enterprise applications. Click New Application, and then select Single sign-on and pick the SAML option presented. This will allow you to set up the SAML configuration.
For more insights, see: Azure Ad Sso Saml Example
To generate the Service Provider (SP) metadata, run the script /usr/bin/mellon_create_metadata.sh on the VM, adjusting the IP address as necessary. The script will generate an sp.xml file and an empty idp.xml file that you'll need to use in the next steps.
To complete the SAML configuration, upload the sp.xml file to the Azure portal using the "Upload metadata file" option, and then replace the empty idp.xml file on the VM with the Federation Metadata XML you can download from the Sign sign-on page in the Azure portal.
Here's a list of the steps to set up SAML SSO:
- Log into the Azure portal and search for Active Directory
- Configure groups that will be associated with Hyperglance Roles later on
- Select Groups, click New Group, and name it Hyperglance Admins
- Return to the Azure AD Organisation management and select Enterprise applications
- Click New Application, and then select Single sign-on and pick the SAML option presented
- Run the script /usr/bin/mellon_create_metadata.sh on the VM
- Upload the sp.xml file to the Azure portal using the "Upload metadata file" option
- Replace the empty idp.xml file on the VM with the Federation Metadata XML you can download from the Sign sign-on page in the Azure portal
Note that the Entity ID and Reply URL fields may be greyed out if you don't have the maximum permissions for your organization. However, you can still set up SAML SSO by following the steps outlined above.
Troubleshooting and Configuration
If you're having trouble setting up Azure SAML SSO, start by checking your permissions. Ensure you have the maximum permissions for your organization, as this may be the reason the Identifier (Entity ID) and Reply URL fields are greyed out.
To configure groups for SSO, begin by selecting Groups in the Azure Portal. Then, click New Group and create a group, such as Hyperglance Admins. This group will be associated with Hyperglance Roles later on.
If you're having issues with the Identifier (Entity ID) or Reply URL fields, try checking the Azure SAML SSO configuration guide to see if the fields are greyed out there as well. This may indicate a specific issue with your setup.
Status
The Status element is a crucial part of the sign-on process, conveying the success or failure of sign-on.
It includes the StatusCode element, which contains a code or a set of nested codes that represents the status of the request. This code can give you a clear indication of what went wrong during the sign-on process.
The StatusMessage element is also part of the Status element, containing custom error messages generated during the sign-on process. These messages can provide valuable insight into the issue at hand.
In the case of an unsuccessful sign-on attempt, the SAML response will include the Status element with a corresponding error message. This can help you identify and troubleshoot the problem more efficiently.
Conditions

The conditions that define the acceptable use of SAML assertions are crucial for a smooth Single Sign-On (SSO) experience.
The NotBefore attribute must be equal to or slightly later than the value of the IssueInstant attribute of the Assertion element, with no buffer added by Microsoft Entra ID.
This means that the NotBefore attribute cannot be earlier than the IssueInstant attribute, and the difference should be minimal, less than a second.
The NotOnOrAfter attribute must be 70 minutes later than the value of the NotBefore attribute, ensuring that the assertion remains valid for a specific period.
This interval is essential for maintaining the integrity and security of the SAML assertion, and it's essential to configure it correctly for a successful SAML setup.
Here's a summary of the conditions:
- NotBefore attribute: equal to or slightly later than IssueInstant attribute
- NotOnOrAfter attribute: 70 minutes later than NotBefore attribute
By understanding and configuring these conditions correctly, you can ensure a seamless SSO experience for your users.
SSO Configuration: Missing Identifier or Reply URL
If you're trying to set up SSO with SAML for Azure AD but can't enter the Identifier (Entity ID) or Reply URL, don't worry, you're not alone. This issue is caused by Azure not being able to generate the metadata file.
First, make sure you have the maximum permissions for your organization. This is a common requirement for setting up SSO configurations. If you're still having trouble, it's likely because the metadata file hasn't been generated.
To generate the metadata file, you need to run a script on your VM. The script is called mellon_create_metadata.sh, and it's used to create the Service Provider (SP) metadata. You'll need to adjust the IP address to match your setup.
Here's a quick rundown of the script's parameters:
- The 1st parameter is the SAML Entity ID, which can be any URI that uniquely identifies your Hyperglance install.
- The 2nd parameter is the URL to the SAML endpoint for your Hyperglance VM.
Make sure you upload the generated sp.xml file to the Azure portal using the "Upload metadata file" option. This should populate the Entity ID and Reply URL fields, allowing you to proceed with the SSO configuration.
If you're still having trouble, try checking the Azure portal's documentation for more information on setting up SSO configurations.
Microsoft Entra and Power Pages
To set up Microsoft Entra as an identity provider for your Power Pages site, start by selecting Security > Identity providers in your Power Pages site. Make sure External login is set to On in your site's general authentication settings.
If this caught your attention, see: Why Identity Is Important
You'll then need to select + New provider, and under Select login provider, choose Other. Next, select SAML 2.0 as the protocol.
To create the provider, enter a name for the provider, such as Microsoft Entra ID. This name will appear on the button that users see when they select their identity provider on the sign-in page.
Here's a step-by-step guide to setting up Microsoft Entra:
- Set up Microsoft Entra as an identity provider for your Power Pages site.
- Make sure External login is set to On in your site's general authentication settings.
- Enter a name for the provider, such as Microsoft Entra ID.
- Copy the Reply URL.
App Registration
To register an app in Azure, you need to sign in to the Azure portal. Search for and select Azure Active Directory, then under Manage, select App registrations.
To create a new app registration, select New registration. Enter a name and select one of the Supported account types that best reflects your organization requirements. Under Redirect URI, select Web as the platform, and then enter the reply URL of your site.
You'll need to enter the reply URL of your site, which is the URL that users will be redirected to after authenticating. This is a critical step in the app registration process.
For another approach, see: Azure App Insights vs Azure Monitor
In the left side panel, select Expose an API. To the right of Application ID URI, select Add, and enter your site URL as the App ID URI. Select Save.
To access the federation metadata document URL, select Endpoints at the top of the page, find the Federation metadata document URL, and select the copy icon. In a new browser tab, paste the federation metadata document URL you copied earlier.
Copy the value of the entityID tag in the document, which you'll need later for SAML SSO configuration.
Broaden your view: Google Cloud Platform Project Id
Step-by-Step Instructions
To set up Azure SAML SSO, start by clicking on Manage Active Azure Directory on the Home page. From there, select Enterprise applications on the left side menu.
Next, click on New application and then Create your own application to begin the process. You'll need to select the created application and click on Set up single sign on, then choose the SAML option.
A different take: Azure Active Directory Saml
Now, click on Edit button on Basic SAML configuration and enter the required information. You'll also need to click on Edit button on User Attributes and Claims and enter the following information:
After entering the required information, copy the Login URL value and paste it in the Login URL field on Insightful. You'll also need to copy the Azure AD Identifier and paste it in the Issuer ID field on Insightful.
Next, download the SAML Signing Certificate and upload it to the Identity Provider Certificate field in Insightful.
Featured Images: pexels.com


