AzureAD, How do I create a SAML SSO Enterprise App?
Before you start:
If you are wondering whether to use Shibboleth or Entra ID for your SAML SSO application, please see this KB: Identity Management, Single Sign-On Platforms.
Please note: If the vendor has not done business with the University before, you must fill out a Vendor Risk Assessment form here.
Configuration:
Instructions from the vendor should include the information you need to configure the necessary parameters on both the AzureAD side and the vendor's application side.
Information for configuring the Enterprise App in AzureAD include:
- Identifier (Entity ID)
- This is the unique ID that identifies your application to Azure Active Directory. This value must be unique across all applications in your Azure Active Directory tenant. The default identifier will be the audience of the SAML response for IDP-initiated SSO.
- Reply URL (Assertion Consumer Service URL)
- The reply URL is where the application expects to receive the authentication token. This is also referred to as the “Assertion Consumer Service” (ACS) in SAML.
- User Attributes & Claims
- Information for identifying users that are signing into the application.
- Owners
- Owners can manage the configuration of the application (including SSO config), and user assignment. Owners can also add or remove other owners.
- Users and groups
- Do you want all users in our tenant to be able to access your application, or do you only want a subset of users and/or groups?
- If you want the app to be available to all users, you can go to the Properties pane in AzureAD, then select No, under 'Assignment required?'.
Information for configuring the application with the vendor include:
- SAML signing certificate (valid for three years by default). This is available in the Single sign-on pane in the Enterprise applications section for your app
- Please ensure that you have processes in place to renew certificates prior to their expiration. Guidance from Microsoft is available here.
- Our tenant-specific endpoints to link the service provider with AzureAD. These are also available in the Single sign-on pane in the Enterprise applications section for your app, but for reference:
- Login URL:
https://login.microsoftonline.com/44467e6f-462c-4ea2-823f-7800de5434e3/saml2
- Azure AD Identifier:
https://sts.windows.net/44467e6f-462c-4ea2-823f-7800de5434e3/
- Logout URL:
https://login.microsoftonline.com/44467e6f-462c-4ea2-823f-7800de5434e3/saml2
- Login URL:
How to Request an Enterprise App that utilizes SAML SSO:
The creation of the application requires an administrator role, so to create a SAML SSO application in AzureAD, you can fill out a form here.
The IAMU team should get back to you within two business days.
- SAML SSO apps in our AzureAD tenant follow the
SAML-{OrgName}-{ApplicationName}
naming convention, so when filling out the form, please let us know the Org Name and Application Name that should be used.- Example: SAML-IAMU-TestingApp1
- Let us know if the owner of the app should be someone other than the submitter of the form.
Need Help?
If you need assistance or have questions, please feel free to reach out to the Identity and Access Management team at Tech Services.