Learning SAML in Azure AD

In my opinion, the best way to learn a technology such as SAML is building a hands-on lab environment. In this blog we’ll explore how to create a SAML Application in Azure AD, using the “Azure AD SAML Toolkit” app.

There are two types of SAML Applications:

– Service Provider Initiated (aka “SP Initiated”). This means that the end-user will navigate to the web application first and then be directed back to the IDP to authenticate, and then the end-user will go back to the application to present the authentication token.

– Identity Provider Initiated (aka “IDP Initiated”). This means that the end-user will navigate to the IDP, in this case Azure is the IDP, so the list of applications will be found at “myapps.microsoft.com.”

Experts may read the simplistic explanations above and notice there are exceptions to these definitions, but to keep things simple we are going with those definitions.

The “Azure AD SAML Toolkit” was written to support SP Initiated SSO.

Getting Started

If you already have a test environment or if you are brave enough to test in your production environment, then skip step 1 and proceed to step 2.

Step 1) Sign up for a Office 365 trial tenant (here)

Step 2) Sign into the Azure Portal (this is the IDP) here: https://portal.azure.com

Step 3) In the search box type in “Azure Active Directory”

image

Step 4) Click Add > Enterprise Application

SNAGHTMLbf612fd

Step 5) Type “Azure AD SAML Toolkit” and then click on the application

image

Step 6) Click Create

image

Step 7) Click Single sign-on in the left navigation then click SAML on the right

image

Step 8) In Step One of “Basic SAML Configuration”  Click Edit

image

Step 9) In the Sign on URL enter: https://samltoolkit.azurewebsites.net/

image

PRO TIP: If you leave this field blank, you are configuring an app for “IDP Initiated” SSO instead of “SP Initiated SSO.” This will help you in the future when troubleshooting why an IDP Initiated app is not working, clear this field and it may start working.

Step 10) In the Reply URL (otherwise known as the Assertion Consumer Service URL) enter:  https://samltoolkit.azurewebsites.net/SAML/Consume

image

Leave the Entity ID with the pre-populated value, it should be:
https://samltoolkit.azurewebsites.net

Step 11)  Click Save
image

Step 12) On step three click Download next to “Certificate (Raw)”

The Certificate download link

Step 13) On Step four “Set up Azure AD SAML Toolkit” copy the values shown into Notepad or your favorite text editor. You’ll need these in a future step

Copy configuration URLs

Step 14) On the left navigation select “Users and Groups” and then add the user you are signed in with (this user will be used in a future step)

image

Step 15) Browse to the Azure AD SAML Toolkit website here: https://samltoolkit.azurewebsites.net

Step 16) Click Register

Azure AD SAML Toolkit Register

Step 17) Enter the email address associated with the user account that you added to the SAML Account in step 14 above

Step 18) Click SAML Configuration on the top navigation

Azure AD SAML Toolkit SAML Configuration

Step 19) Click Create

image

Step 20) Paste the values that you copied from step 13 above, and upload the certificate from step 12 above

image

Step 21) Copy Sign-on URL, Identifier and ACS URL values on SAML Toolkit SSO configuration page and paste into respected textboxes in the Basic SAML Configuration section in the Azure portal

image

Step 22) Test it out! Sign into Myapps.Microsoft.com and find the Azure AD SAML Toolkit. Click on it and then you should see a button to Log in. Click on this button to initiated an SP-Initiated sign-in.

image

If it works, you’ll be brought back to the same configuration page you used to create the app. This is just a simple app to show how SSO works with Azure AD.

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s