Articles in this section

AzureAD SSO via SAML2.0

Avatar
Kyle Theobald
  • Updated
Follow

1) Go to “Microsoft Azure Portal”.
Open “Azure Active Directory” blade.
Open “Enterprise applications”.


2) Click “+ New application”


3) Select “Non-gallery application” and give the application a “Name”.

Note: you will need “Azure Active Directory Premium P1” at a minimum for “SAML-based single sign on”.


4) Select “SAML” protocol.


5) Scroll down and download “Stage 3 SAML Signing Certificate - Certificate (Base 64)”. 
Copy “Stage 4 Login URL and “Logout URL”.
These variables will be used to set up the “Auth0 SAMLP Identity Provider connection” via the “Auth0 management portal”


6) Navigate to your “Auth0 management portal”.
Open “connections enterprise”.

Add a new “SAMLP Identity Provider”.


7) Enter your “Connection Name”.
Enter the “Sign in URL”/ “Sign Out URL” obtained previously from from step 5 above “Login URL” and “Logout URL”.

Upload certificate X509 Signing Certificate.
Under “Applications” toggle to enable for your appropriate application.


8) Note if you have multiple Auth0 Connections enabled for your Auth0 Application, you will need to enter “Email domains” for the login lock screen to show SSO login once user email is entered.


9) Leave “IdP-Initiated SSO” defaults as below as we are using a custom domain and the originating application will be used for application.


10) Go to your “Azure Management Portal” and update your SAML SSO configuration as below.

Enter “Identifier (Entity ID)” in the format;
 urn:auth0:{YOUR_TENANT}:{CONNETION_NAME}
Enter “Reply URL (Assertion Consumer Service URL)” in the format;
 https://{AUTH0_CUSTOM_DOMAIN}/login/callback
 OR “https://{AUTH0_CUSTOM_DOMAIN}/login/callback?connection={CONNETION_NAME}”

 

11) Whilst in your “Azure Management Portal” you might need to configure Users and Roles.


12) Ensure Softools site settings > Self Registration is enabled.  At the time of writing this is required for auto Softools user creation with relevant Team/ Permissions.



Additional Notes

For AzureAD Guest user types whereby the issuer is Microsoft Live for instance, the User Attributes & Claims within the Azure AD SAML enterprise connection might need the claims mapping for the Unique User Identifier.

Change the Unique User Identifier to be ‘user.mail’

Related articles

Comments

0 comments

Article is closed for comments.