Document toolboxDocument toolbox

Configuring SAML 2.0 Application for Azure AD

Owned by Shirly Tsang
Last updated: Apr 02, 2024 by Alex Mandel
3 min read

Before you configure the SAML federation for Azure AD (Active Directory), ensure that you have completed the following:

Note

Ensure that you have the required privileges to create and manage a SAML 2.0 application/federation in Microsoft Azure.

Creating an Enterprise Application

  1. Log in to the Azure portal as an administrator.

  2. Click Azure Active Directory from the Azure services menu.
    The screenshot shows the Azure services menu.

  3. In the left pane, click Enterprise Application.

  4. On the Enterprise Application page, click New Application.

    The screenshot shows the Enterprise Application page, and the New Application button is highlighted.

  5. On the Browse Azure AD Gallery page, click Create your own application.

    The screenshot shows the Browse Azure AD Gallery page, and the Create Your Own Application button is highlighted.

  6. On the Create your own application page, complete the following:

    • Enter a name for your application
    • Select the Integrate any other application you don’t find in the gallery (non-gallery) option.
    • Click Create.
      The screenshot shows the Create Your Own Application dialog box. The text box for specifying the name is highlighted. Also highlighted is the radio button called Integrate any other application you do not find in the gallery.
  7. Assign users and groups to the application you just created. For information, refer to Microsoft Azure documentation at https://docs.microsoft.com/en-us/azure/.

Enabling Single Sign-On

  1. In the left pane of the application you created, click Single sign-on to open the Single sign-on pane for editing.
  2. Choose the SAML option to open the SAML-based Sign-On page.

    The screenshot shows the SAML-based Sign-On page, and the SAML option is highlighted.

  3. In the Set Up Single Sign-On with SAML section, complete the applicable steps. For information, click configuration guide on the Azure portal for more information.

    The screenshot shows the Set Up Single Sign-On with SAML section, and the Edit button is highlighted. The two steps are Basic SAML Configuration and User Attributes and Claims, and each contains a set of required and optional parameters.
  4. In step 1, the Basic SAML Configuration section, click Edit and complete the following:
    • Identifier (Entity ID): Enter the Audience URI that you copied when generating the audience keys.
    • Reply URL (Assertion Consumer Service URL): Enter the HUB ACS URL that you copied when generating the audience keys.

    • Sign on URL: Enter the same value that you used in the Reply URL (Assertion Consumer Service URL) field.
      The subjectNameID in the SAML assertion must be the user’s email address, and the email address must have a domain name that matches the domain for which the federation is being configured.

  5. In step 2, the User attributes and claims section, click Edit.
  6. In the User Attributes & Claims dialog, click Add a group claim, as shown below:

    The screenshot shows the User Attributes and Claims dialog, and the Add a Group Claim option is highlighted. The dialog box also contains a Required Claim section and an Additional Claims section, which list the name and value of each claim.

  7. In the Group Claims dialog, complete the following to configure groups that should be included in the token:
    1. Which groups associated with the user should be returned in the claim: Select Security groups.
    2. Source attribute: Choose Group ID from the drop-down menu.
    3. In the Advanced options section, select the Customize the name of the group claim check box.
    4. Name (required): Enter groups.

      The screenshot shows the Group Claims dialog box, where the radio button for security groups is selected.

  8. Click Save.
  9. In step 3, the SAML Signing Certificate section:
    1. Download the Certificate(Base64) and save it for later.
  10. In section 4: Set up "<your application>," section:
    1. Copy the Login URI and Azure AD Identifier and save them for later.

Configuring SAML Application

  1. Log in to the Infoblox SSO Portal.
  2. In the Infoblox SSO Portal, go to Authentication > 3rd Party IdP, click Configure Azure SAML and then complete the following:
    1. Login URL: Enter or paste the Login URI you copied from the Azure Set up <your application> section.
    2. Azure AD Identifier: Enter or paste the Azure AD Identifier you copied from the Set up <your application> section.
    3. Signature Certificate: Paste the certificate you copied from the Azure SAML Signing Certificate section. The SSO Portal supports Base64 certificates with the following file extensions: .crt, .pem, and .ca-bundle.
  3. Click Save and Close.
  4. After you have configured the SAML application, you can complete the following configuration:
  5. You can also perform the following after you set up 3rd party IdP authentication: