This tutorial guides you through the process of configuring Single Sign-On (SSO) for a web application using Azure Active Directory (Azure AD). SSO allows users to access multiple applications with a single set of credentials, enhancing security and user experience.
Prerequisites
- An Azure AD tenant.
- An administrator role in your Azure AD tenant.
- A web application that supports SAML 2.0, OAuth 2.0, or OpenID Connect.
- Information about your application's metadata endpoints or configuration details.
Step 1: Register Your Application in Azure AD
1.1 Navigate to Azure Portal
Sign in to the Azure portal with an administrator account.
1.2 Go to Azure Active Directory
In the portal, search for and select "Azure Active Directory".
1.3 Register a New Application
Under "Manage", select "App registrations" and then click "+ New registration".
1.4 Provide Application Details
- Name: Enter a descriptive name for your application (e.g., "My SaaS Application").
- Supported account types: Choose the account types that will use this application. For most scenarios, "Accounts in this organizational directory only" is sufficient.
- Redirect URI: This is crucial. Enter the URI where Azure AD will send the authentication response after successful sign-in. The format depends on your application's authentication protocol (e.g., for SAML, it might be a specific ACS URL; for OAuth/OIDC, it's your callback URL).
Click "Register".
Step 2: Configure Single Sign-On for the Application
2.1 Access the Application's SSO Settings
Once your application is registered, navigate to its overview page. On the left-hand menu, select "Single sign-on".
2.2 Choose an SSO Method
Azure AD supports multiple SSO protocols:
- SAML: Suitable for many enterprise applications.
- OAuth 2.0 / OpenID Connect: Modern protocols for web and mobile apps.
- Password-based Single Sign-On: For applications that don't support federated sign-on.
- Linked SSO: For applications that are already configured with SSO via another identity provider.
For this tutorial, we'll focus on SAML. Click "SAML".
2.3 Configure SAML Settings
You'll see two main sections: "Basic SAML Configuration" and "User Attributes & Claims".
2.3.1 Basic SAML Configuration
Click "Edit" for the "Basic SAML Configuration". You'll need to provide:
- Identifier (Entity ID): A unique identifier for your application. This is often provided by your application vendor.
- Reply URL (Assertion Consumer Service URL): The URL where Azure AD sends the SAML token. This should match the Redirect URI you configured earlier.
- Sign on URL (Optional): The URL users typically visit to access your application.
- Relay State (Optional): Used to redirect users to a specific page after authentication.
Click "Save".
2.3.2 User Attributes & Claims
This section defines the information (claims) sent in the SAML token to your application. By default, Azure AD sends the user's unique identifier (Name ID). You can add more claims like email address, first name, last name, etc.
Click "Edit" and then "Add new claim". Select the attribute you want to send and configure its name in the SAML token (often referred to as the "Source attribute" and "Name").
Step 3: Download SAML Signing Certificate and Login/Logout URLs
3.1 Access SAML Signing Certificate
On the SAML configuration page, scroll down to the "SAML Signing Certificate" section. You'll need to download the certificate in Base64 format. This certificate is used by your application to verify the authenticity of SAML assertions from Azure AD.
You will also find the following URLs:
- Login URL: The URL users are redirected to for authentication.
- Azure AD Identifier: The unique identifier for Azure AD as an identity provider.
- Logout URL: The URL to use for single sign-out.
Keep these details handy, as you'll need them to configure your application.
Step 4: Configure Your Application with Azure AD Details
4.1 Access Your Application's SSO Settings
Log in to your web application's administrative interface and navigate to its Single Sign-On or Authentication settings.
4.2 Enter Azure AD Details
You will typically need to configure the following:
- Identity Provider SSO URL (or Login URL): Paste the "Login URL" from Azure AD.
- Identity Provider Issuer (or Entity ID): Paste the "Azure AD Identifier" from Azure AD.
- X.509 Certificate: Upload the Base64 SAML signing certificate you downloaded from Azure AD.
- Service Provider Entity ID: This should match the "Identifier (Entity ID)" you configured in Azure AD.
- Assertion Consumer Service (ACS) URL: This should match the "Reply URL" you configured in Azure AD.
Step 5: Assign Users and Groups to the Application
5.1 Manage User Assignments
Back in the Azure portal, go to your application's "Users and groups" section.
5.2 Assign Users/Groups
Click "+ Add user/group" and select the users or groups that should have access to this application via SSO. This ensures that only authorized individuals can log in.
Step 6: Test the Single Sign-On
6.1 Initiate SSO Test
In the Azure portal, on the "Single sign-on" page for your application, there's a "Test" section. Click "Test".
6.2 Verify Sign-In
Azure AD will prompt you to either sign in as a user or as the application. Choose to sign in as a user. Follow the prompts to test the login flow. You should be successfully logged into your application without needing to enter separate credentials.
Troubleshooting Common Issues
- "Invalid SAML Response" or "Signature Verification Failed": Often caused by an incorrect SAML signing certificate in your application or mismatches in Entity IDs.
- Users Can't Log In: Ensure users are assigned to the application in Azure AD and that their attributes (like email) are correctly mapped.
- Redirect Loops: Check Reply URLs and Sign on URLs for typos or incorrect configurations.
Conclusion
You have successfully configured Single Sign-On for your application using Azure Active Directory. This integration enhances security and streamlines the user login process.
For more advanced configurations or different protocols, please refer to the official Azure AD documentation.