SAML clients of Various Kinds Can Use Azure AD as the Identity Provider (IdP) for MACID authentication
Basic SAML configuration For Azure Integration
Many apps are already pre-configured and in the Azure app gallery and you don’t need to worry about specific settings to add and configure the app but if your application is not natively recognized by Azure (Non-Gallery App) then you have to make Azure recognize it by either manually providing the required values or by providing a metadata file to extract the values of the required SAML fields. The following are the basic SAML requirements to enable Azure to recognize your application via SAML:
| Basic SAML Configuration Setting | SP-Initiated | idP-Initiated | Description |
|---|---|---|---|
| Identifier (Entity ID) | Required for some apps | Required for some apps | Uniquely identifies the application. Azure AD sends the identifier to the application as the Audience parameter of the SAML token. The application is expected to validate it. This value also appears as the Entity ID in any SAML metadata provided by the application. Enter a URL that uses the following pattern: ‘https://.contoso.com’ You can find this value as the Issuer element in the AuthnRequest (SAML request) sent by the application. |
| Reply URL | Required | Required | Specifies where the application expects to receive the SAML token. The reply URL is also referred to as the Assertion Consumer Service (ACS) URL. You can use the additional reply URL fields to specify multiple reply URLs. For example, you might need additional reply URLs for multiple subdomains. Or, for testing purposes you can specify multiple reply URLs (local host and public URLs) at one time. |
| Sign-on URL | Required | Don’t specify | When a user opens this URL, the service provider redirects to Azure AD to authenticate and sign on the user. Azure AD uses the URL to start the application from Microsoft 365 or Azure AD My Apps. When blank, Azure AD does an IdP-initiated sign-on when a user launches the application from Microsoft 365, Azure AD My Apps, or the Azure AD SSO URL. |
| Relay State | Optional | Optional | Specifies to the application where to redirect the user after authentication is completed. Typically the value is a valid URL for the application. However, some applications use this field differently. For more information, ask the application vendor. |
| Logout URL | Optional | Optional | Used to send the SAML Logout responses back to the application. |
User attributes and claims
When a user authenticates via your application, Azure AD issues the application a SAML token with information (attributes/claims) about the user that uniquely identifies them. By default, this information includes the user’s macid, email address, first name, and last name. You might need to customize these claims if, for example, your application requires specific claim values or a specific format.
The Unique User Identifier (MACID) identifier value is a required claim and is important. The default value (EduPerson) is user.userprincipalname. This user identifier uniquely identifies each user within the application. For example, if the email address is based on this unique identifier, the value would be macid@mcmaster.ca.
To learn more about customizing SAML claims, see How to: customize claims issued in the SAML token for enterprise applications.
You can add new claims, for details see Adding application-specific claims or to add group claims, see Configure group claims.
SAML signing certificate
Azure AD uses a certificate to sign the SAML tokens it sends to your application. You need to be able to recognize this certificate to enable the trust between Azure AD and the application. The value of this certificate should be provided by the person that is configuring your application to be recognized by Azure AD.
Set up the application to use Azure AD
On the SAML client side, there are certain values that need to be configured in your application so it will use Azure AD as a SAML identity provider. You should set the values depending on the configuration steps of your specific SAML client software. For example, if you are configuring GitHub then you would go to the github.com site and set the values. If the application is already pre-configured and in the Azure AD gallery, then you will find a link to View step-by-step instructions. Otherwise, you will need to use the documentation for the specific SAML client you are configuring.
The Login URL and Logout URL values both resolve to the same endpoint, which is the SAML request-handling endpoint for Azure AD tenant.
The Azure AD Identifier is the value of the Issuer in the SAML token issued to the application.
Test single sign-on
Once you’ve configured your application to use Azure AD as a SAML-based identity provider, you can test the settings to see if single sign-on works for your SAML client.
Use the EntityID URL you provided and try to trigger an Azure session by invoking the login URL provided by the person that configured your application to be recognized by Azure AD. You might need to request a test account if you do not want to use ‘live’ accounts to test.
If sign-on is successful, you can then request that users and groups become assigned to your SAML application.