In today's digital landscape, securing access to your applications is more critical than ever. Implementing Single Sign-On (SSO) using Security Assertion Markup Language (SAML) is a powerful way to enhance security while providing a seamless user experience. Azure Active Directory (Azure AD) simplifies this process, offering robust tools for integrating SAML authentication with your enterprise applications. In this guide, we will walk you through the steps to set up SAML authentication using Azure AD, ensuring that your organization can leverage the benefits of centralized identity management and streamlined access control. Whether you're an IT professional or a system administrator, this tutorial will equip you with the knowledge to implement SAML authentication efficiently and securely.
Option 1: Adding Configuration to Identity - Basic - App Federation Metadata Url
Add the configuration to your identity provider using the basic settings. Use the App Federation Metadata URL obtained from Azure AD.
Business Fitness to Provide:
ServiceProviderEntityId- CallbackPath
External Vendor to Provide:
- IdentityProviderMetadataAddress
- Domain/s to authenticate via SAML
Option 2: Adding Configuration to Identity - Advanced - Certificate (Recommended)
Business Fitness to Provide:
ServiceProviderEntityId- CallbackPath
External Vendor to Provide:
- Certificate File (
.cer) - Domain/s to authenticate via SAML
- (
SingleSignOnEndpoint,SingleLogoutEndpoint,IdentityProviderEntityId)
OR - (
IdentityProviderMetadataAddress).
Follow the steps below to set up SAML authentication with Azure AD once Business Fitness has provided the required setup information. We will cover everything from configuring your Azure AD tenant and registering your application to setting up SAML-based SSO and testing the integration.
Step-by-Step Guide to Setting Up SAML Authentication with Azure AD
Log into Entra Portal as an Admin:
- Open your web browser and log into the Entra Portal with your administrator credentials.
- Open your web browser and log into the Entra Portal with your administrator credentials.
Navigate to Enterprise Applications:
- Under the "Applications" section, click on "Enterprise applications."
- Under the "Applications" section, click on "Enterprise applications."
Create a New Application:
- Click on "New application."
- Select "Create your own application."
- Enter the name as shown below in the provided field and click "Create."
Configure Single Sign-On:
- Once the application is created, navigate to the "Single sign-on" section.
- Select the "SAML" option.
Edit Basic SAML Configuration:
- In the "SAML-based Sign-on" page, click on the "Edit" button under the "Basic SAML Configuration" section.
- In the "SAML-based Sign-on" page, click on the "Edit" button under the "Basic SAML Configuration" section.
Enter Identifier and Reply URL:
- In the "Basic SAML Configuration" pane, enter the required "Identifier (Entity ID)" and "Reply URL (Assertion Consumer Service URL)."
- Click "Save" to apply the settings.
- In the "Basic SAML Configuration" pane, enter the required "Identifier (Entity ID)" and "Reply URL (Assertion Consumer Service URL)."
- Edit Attributes & Claims:
- In the "SAML-based Sign-on" page, click on the "Edit" button under the "Attributes & Claims" section.
- In the "SAML-based Sign-on" page, click on the "Edit" button under the "Attributes & Claims" section.
- Setup Required & Additional Claims:
- In the "Attributes & Claims" pane, enter the required claims as shown below.
- Click "Save" to apply the settings.
Your "Attributes & Claims" section should now look like this:
- In the "Attributes & Claims" pane, enter the required claims as shown below.
Copy App Federation Metadata URL:
- After saving the basic SAML configuration, you will see the "App Federation Metadata URL" listed.
- Copy this URL.
- Download the certificate:
- Send Business Fitness both the metadata URL and certificate for deployment.
By following these steps and configurations, you will successfully set up SAML authentication for your application using Azure Active Directory, providing a secure and seamless authentication experience for your users.
PLEASE NOTE: Until Business Fitness publish the complete configuration to production you will not be able to test the connection for the Enterprise Application from the Entra Portal. At the time of publishing the configuration to production, all requests to authenticate with the client's domain will be redirected to the SAML IDP.
User testing is required to ensure this connection is working, following a release of our Business Fitness Identity Server.