Friday, February 8, 2019

Setting up SAML-based sign-on for Enterprise application in Azure AD

When I was a developer, I was assigned to a project to enable SAML login from client's IDP to our application. That is the project I wanted to do. I did some study, and then was "requested" to help out a Java project. And someone else "requested" to do research and POC on behalf of myself, and I'll do the development. A funny arrangement by the management. I am trying to convince myself that I am not complaining, but I am not convinced though. Anyway...

In my recent projects (and no longer a developer), I am involved in SAML setup related task. This is my second running on trial version on enterprise tool to figure out, how the client can setup SAML in order to connect to our application. :D

Ignore all the unorganized setup in my Azure account. This is my first time using it, and free trial time is ticking.

This post is mainly to setup the SAML-based sign-on to a 3rd party application in Azure AD. Click on the image to view the original size of it for clearer view.

3. Click on + New application button.

For #10, use the metadata file from your IDP federation system. You should have 2 metadata, one for the service provider, the other is for IDP. Provide the metadata for IDP to your client, and ask your client to upload this metadata file. The Identifier and Reply URL will be automatically updated.

This is the default claims setup in Azure AD.

You can delete it or edit it. Anyway, there is one that you can't edit or remove it. The application will tell. :)

Lastly, provide the metadata of this setup to the IDP federation to add trust relationships. It can be obtained here.

Once the trust relationship is established, you can try to login to the application with the AD you setup in Azure. Not sure how sensitive is the information, so I just mask out all the data. Here's a snapshot of the SAML Tracer in Chrome when I do the login.

If the namespace is left untouched, you'll see the claim rule attribute name is sent to for federation as A like below. If you clear the namespace in the claim rule mapping, then the claim rule attribute name is sent as B below.