AzureAD, How do I create a SAML SSO Enterprise App?

For IT Pros: This KB page will assist those who want to set up an Enterprise App in AzureAD that needs to use SAML for single sign-on (SSO).

Before you start:

If you are wondering whether to use Shibboleth or Entra ID for your SAML SSO application, please see this KB: Identity Management, Single Sign-On Platforms.

Please note: If the vendor has not done business with the University before, you must fill out a Vendor Risk Assessment form here.

Configuration:

Instructions from the vendor should include the information you need to configure the necessary parameters on both the AzureAD side and the vendor's application side.

Information for configuring the Enterprise App in AzureAD include:

Identifier (Entity ID)
- This is the unique ID that identifies your application to Azure Active Directory. This value must be unique across all applications in your Azure Active Directory tenant. The default identifier will be the audience of the SAML response for IDP-initiated SSO.
Reply URL (Assertion Consumer Service URL)
- The reply URL is where the application expects to receive the authentication token. This is also referred to as the “Assertion Consumer Service” (ACS) in SAML.
User Attributes & Claims
- Information for identifying users that are signing into the application.
Owners
- Owners can manage the configuration of the application (including SSO config), and user assignment. Owners can also add or remove other owners.
Users and groups
- Do you want all users in our tenant to be able to access your application, or do you only want a subset of users and/or groups?
- If you want the app to be available to all users, you can go to the Properties pane in AzureAD, then select No, under 'Assignment required?'.

Information for configuring the application with the vendor include:

SAML signing certificate (valid for three years by default). This is available in the Single sign-on pane in the Enterprise applications section for your app
- Please ensure that you have processes in place to renew certificates prior to their expiration. Guidance from Microsoft is available here.
Our tenant-specific endpoints to link the service provider with AzureAD. These are also available in the Single sign-on pane in the Enterprise applications section for your app, but for reference:
- Login URL: https://login.microsoftonline.com/44467e6f-462c-4ea2-823f-7800de5434e3/saml2
- Azure AD Identifier: https://sts.windows.net/44467e6f-462c-4ea2-823f-7800de5434e3/
- Logout URL: https://login.microsoftonline.com/44467e6f-462c-4ea2-823f-7800de5434e3/saml2

How to Request an Enterprise App that utilizes SAML SSO:

The creation of the application requires an administrator role, so to create a SAML SSO application in AzureAD, you can fill out a form here.

The IAMU team should get back to you within two business days.

SAML SSO apps in our AzureAD tenant follow the SAML-{OrgName}-{ApplicationName} naming convention, so when filling out the form, please let us know the Org Name and Application Name that should be used.
- Example: SAML-IAMU-TestingApp1
Let us know if the owner of the app should be someone other than the submitter of the form.

Need Help?

If you need assistance or have questions, please feel free to reach out to the Identity and Access Management team at Tech Services.

Keywords	SAML SSO Azure AzureAD Active Directory enterprise app registration application single sign on sign-on sso oath open id connect openid Suggest keywords	Doc ID	122300
Owner	ID M.	Group	University of Illinois Technology Services
Created	2022-11-04 09:09:59	Updated	2023-10-30 21:27:01
Sites	University of Illinois Technology Services
Feedback	0 0 Comment Suggest a new document Subscribe to changes