Custom SSO With Azure Active Directory

Question

We currently use Office 365 and we're looking to expand the use of Azure Active Directory to provide SSO to 3rd party web apps. Some of our required apps are not currently supported in the app gallery so I have been testing creating an SSO setup for one of these apps from scratch. Please note this is not my own app that I have developed in-house, but a commercial app that supports SAML. Is there any guidance on setting this up that doesn't have a developer focus? Is what I'm looking for even possible or is this really intended for LOB apps only? Thanks!

I don't have a background in SAML or web development, so please be kind ;)

Answer 1

Larry, we love to get feedback on this - tell us what apps you're using and we might be able to prioritize their integration higher. That said, if you wish to try integrating these apps manually, depending on whether AzureAD supports the claims that these applications need, it may be possible. Here's your best bet:

1. Register a new application in your Azure AD representing the application (in Applications Tab in the Directory in the Azure Management Portal). On this application registration, specify the 'Reply URL' as the URL on which the application expects the token to be posted (called AssertionConsumerServiceURL in SAML-P). Also, on this application registration, specify the 'App ID URI' as the audience string that the application expects in the token (called Audience in SAML-P)
2. In the application register your Azure AD as the identity provider. Most applications require only the token signing certificate to be specified. Get the certificate from your Azure AD metadata URL ( https://login.windows.net/ {your Azure AD tenant id or domain name}/federationmetadata/2007-06/federationmetadata.xml) and register it in the app. Some applications also require the issuer value of the identity provider to be registered. Your AzureAD will issue tokens with Issuer value of ' https://sts.windows.net/ {your Azure AD tenant id}/' (eg https://sts.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/ ). If your application supports SP initiated SSO - provide the IdP login URL ( https://login.windows.net/ {your Azure AD tenant id or domain name}/saml2) to the application to redirect the user to (when the user clicks sign-in).
3. Finally, if your application expects IdP initiated SSO, construct a canned SAML AuthNRequest and save it in a URL - when your organization's users will click on this URL (canned SAML AuthNRequest) - they will get redirected to Azure AD where they will sign-in and then the token will be posted to the application's AssertionConsumerServiceURL - resulting in the user getting signed in. You can use the following tool to create a SAML AuthNRequest: https://www.authnauthz.com/samlscrewdriver/authnrequest

Hope this helps. Again - let me know what applications your want to integrate to - we might be able to help more.