Single Sign-On with Microsoft Entra ID: A Comprehensive SAML Setup Guide
Implementation of Single Sign-On with Microsoft Entra ID (SAML), formerly known as Azure Active Directory, offers a powerful solution for secure and seamless user authentication. This guide explores SAML authentication with Entra ID, offering step-by-step instructions and best practices for IT professionals and developers. Whether you’re new to SSO or refining your skills, it ensures a smooth and secure SAML integration for your organization.
Table of Contents
Comprehensive Overview of Microsoft Entra ID: Key Features and Benefits
What is Microsoft Entra ID?
Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service for securely managing access to Azure Cloud applications. For organizations with on-premises Active Directory (AD), integration with Entra ID via AD Connect simplifies cloud access. It operates as a separate system, containing the same objects and identities as AD.
Internal Resources:
This allows employees to access applications on your corporate network, intranet, and any custom cloud apps developed by your organization.
External Resources:
Entra ID enables access to external resources like Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
Suppose you have a traditional on-premises setup with Active Directory (AD) and wish to integrate it with Azure Entra ID for managing access to cloud applications. In that case, you can easily do so using AD Connect.
In simple terms, This is not just an extension of your on-premises directory; it is a separate copy that contains the same objects and identities.
How does Microsoft Entra ID operate?
Microsoft Entra ID is a cloud-based identity and access management service that belongs to the identity as a service (IDaaS) category. It serves as a secure online repository for both individual and group user profiles.
Access is managed through user accounts, each comprising a username and password. Users can be grouped in various ways, allowing for different access rights to specific applications. Additionally, identities from Microsoft or third-party software as a service (SaaS) can be created to facilitate user access to cloud applications.
To connect users with SaaS applications, Single Sign-On with Entra ID, enables users to access all authorized applications without needing to log in multiple times. It generates access tokens, which may include expiration dates, and these tokens are stored locally on employees’ devices.
Comparing Windows AD and Entra ID
Core Concepts of Entra ID
Advantages of Using Entra ID
- Identity Management:
Centralized management of user identities, including creation, maintenance, and deletion.
Support for multi-factor authentication (MFA) to enhance security.
• Access Management:
Single Sign-On (SSO) with Entra ID capabilities to streamline user access to multiple applications.
Conditional Access policies to enforce security requirements based on user and device conditions.
• Security:
Advanced threat protection to detect and respond to identity-based threats.
Integration with Microsoft Defender for Identity for comprehensive security monitoring.
• Compliance:
Tools to help organizations meet regulatory requirements and maintain compliance.
Audit logs and reports for tracking user activities and access patterns.
• Integration:
Seamless integration with other Microsoft services like Office 365, Dynamics 365, and Azure.
Support for third-party applications and services through standard protocols like SAML, OAuth, and OpenID Connect.
• External Identities:
Management of external users, such as partners and customers, through B2B and B2C scenarios.
Secure collaboration with external organizations while maintaining control over access.
• Privileged Identity Management (PIM):
Managing privileged accounts ensures that administrative access is granted only when needed.
Monitoring and auditing of privileged activities to prevent misuse.
• Self-Service Capabilities:
Self-service password reset and account recovery options for users.
User and group management features that reduce the administrative burden.
Entra ID Features and Licensing Details
This offers a flexible licensing model, including:
- Microsoft Online Services: Free features with Office 365 or Azure subscriptions.
- Microsoft Entra ID Premium Licenses: Advanced features are available through Premium P1 and Premium P2 licenses.
Microsoft Entra ID P1 vs P2
- Premium P1: Provides Conditional Access, Multi-Factor Authentication (MFA), Self-Service Password Reset, and dynamic groups—ideal for hybrid identity and security management.
- Premium P2: Includes P1 features, plus Identity Protection, Privileged Identity Management (PIM), and identity governance tools like Access Reviews and Entitlement Management for advanced compliance and security control.
Microsoft Entra ID Governance License
The Entra ID Governance License focuses on automating access control and compliance. It integrates with Premium P2 features to offer Access Reviews, Lifecycle Workflows, and Entitlement Management, ensuring streamlined access governance and regulatory compliance.
Organizations can benefit from these advanced features to improve security, manage access, and automate identity governance processes.
Overview of Entra ID Join & Connect
Entra ID Join:
- Purpose: Entra ID Join allows devices to be registered directly with Microsoft Entra ID, enabling users to sign in with their Entra ID credentials. This facilitates access to cloud resources and applications.
- User Experience: Users can authenticate to their devices using their Entra ID credentials, providing a seamless experience across multiple devices and applications.
- Management: IT administrators can manage enrolled devices, apply security policies, and ensure compliance with organizational standards.
Entra ID Connect:
- Purpose: Entra ID Connect serves as a bridge between on-premises Active Directory, enabling synchronization of user identities and groups.
- Identity Synchronization: This tool allows organizations to keep their on-premises identities in sync with Entra ID, ensuring a unified identity management experience across cloud and on-premises environments.
- Hybrid Identity: By using Entra ID Connect, organizations can implement a hybrid identity solution that allows users to access both on-premises and cloud resources using a single set of credentials.
Key Features
- Seamless Access: Users can access applications and resources without needing to remember multiple usernames and passwords.
- Single Sign-On (SSO): Single Sign-On with Microsoft Entra ID Simplifies the login process by allowing users to authenticate once for access to various applications.
- Conditional Access: Enhances security by applying access controls based on user context, such as device state and location.
- Multi-Factor Authentication (MFA): Adds an additional layer of security during the authentication process.
Benefits
- Improved Security: Organizations can enforce security policies and manage devices effectively by integrating with Entra ID.
- Enhanced User Experience: Users benefit from streamlined access to applications, reducing login frustrations.
- Centralized Management: IT administrators gain visibility and control over devices and identities, allowing for efficient management and compliance.
Entra ID Join and Connect provide organizations with the tools needed to manage identities and devices in a modern, cloud-centric environment while ensuring security and compliance. Let me know if you need more details or specific information!
Managing Users and Groups in Entra ID
Managing users and groups in Microsoft Entra ID can be accomplished through several methods:
Syncing from On-Premises Windows Server:
Most enterprise customers will add users to the directory by synchronizing from an on-premises Windows Server Entra ID using Azure AD Sync. This method requires additional server configuration on-premises to set up.
Manual Addition via Azure Management Portal:
Users can be added manually through the Azure Management Portal, providing a straightforward interface for administrators to manage user accounts
Using PowerShell:
Administrators can utilize PowerShell along with Azure Active Directory cmdlets to manage users and groups programmatically, allowing for automation and batch processing.
Programmatic Access via Azure Entra ID Graph API:
The Azure Entra ID Graph API offers a powerful programmatic approach for managing users. This option provides extensive control over how users are added to the directory, enabling customized workflows and integrations.
Key Features
- Self-Service Capabilities: Users can manage their profiles, reset passwords, and request group memberships, reducing the burden on IT support.
- Integration with Applications: Entra ID integrates with various applications and services, allowing users to access resources based on their group memberships.
- Audit and Reporting: Administrators can generate reports on user activity, group memberships, and role assignments for compliance and security monitoring.
Benefits
- Streamlined Management: Centralized management of users and groups simplifies administrative tasks and enhances efficiency.
- Enhanced Security: Role-based access and group policies help maintain security while ensuring users have the necessary access to perform their jobs.
- Improved Collaboration: Group features foster collaboration among users by providing shared resources and communication tools.
Step-by-Step Configuration of Microsoft Entra ID as a SAML Identity Provider
Set Up a SAML Connection in the Application
- Navigate to the Settings Page:
Open the application and go to the Settings or Configuration section. - Access Authentication Settings:
Find the Authentication or Security tab. - Add a New SSO Connection:
Look for an option to add a new Single Sign-On (SSO) connection.
Select the Custom SAML option. - Configure SAML Settings:
Click Next or Continue to proceed with the configuration. - Show Advanced Details:
Enable or select Show Advanced Details to access additional configuration options. - Copy Required URLs and IDs:
Copy the Assertion Consumer Service (ACS) URL and save it for later use.
Copy the Entity ID and save it as well. - Proceed with Configuration:
Keep the current browser tab open and follow the specific instructions provided by your application to complete the SAML setup.
These steps provide a general framework for setting up a SAML connection across different applications.
Integrate Application with Microsoft Entra ID
- Sign in to the Microsoft Entra admin center.
- Open the portal menu and select Identity.
- In the Identity menu, under Applications, click on Enterprise Applications.
- In the Manage section, select All Applications.
- Click on New Application.
- Choose Create your own application.
- Provide a name for the application.
- Select Integrate any other application you don’t find in the gallery (Non-gallery), then click Create.
- Under Manage, select Single sign-on.
- Click on SAML.
- Click the pencil icon to Edit the Basic SAML configuration.
- In the Identifier (Entity ID) section, click the Add Identifier link and paste the Entity ID you copied earlier into the field.
- In the Reply URL (Assertion Consumer Service URL) section, paste the Assertion Consumer Service URL that you copied previously.
- Click Save.
- Close the pane by clicking the X in the top right corner.
- Leave the settings in the Attributes & Claims section at their default values.
- In the SAML Certificates section, click Download to get the Base64 certificate, which will be used in the Custom SAML configuration in Kandji.
- In the Setup [App Name] section, copy the Login URL and Logout URL, and paste them into a secure text document for future reference.
Assign Users and Groups to the Application
- Under Manage, click on Users and Groups.
- From the menu, select Add user/group.
- In the Add Assignment dialog, click the link under Users and Groups.
A list of users and security groups will be displayed. You can search for specific users or groups and select multiple entries from the list. - Once you have selected the desired users and groups, click Select.
- If you see the message below, it indicates that you are using a free tier. The Passport Enterprise App only allows you to add users (not groups).
- Click Assign to complete the assignment of users and groups to the app.
- Verify that the users and groups you added are listed in the Users and groups section.
Configure the SAML Settings in the Application
- Return to the Custom SAML modal in the application.
- Assign a name to the connection.
- Paste the Sign-In URL that you copied from Entra ID.
- Paste the Sign-Out URL that you copied from Entra ID.
- Upload the certificate you downloaded from Entra ID.
- Make sure the User ID Attribute is set to the default value:
example:- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.
- Set Sign Request to Yes.
- Ensure the Request Algorithm is configured to RSA-SHA256.
- Set the Sign Request Algorithm Digest to SHA 256.
- Configure the Protocol Binding to HTTP-POST.
- Click Save, then click Cancel to exit the configuration.
Activate the SAML Connection
Once you have configured the SAML connection in your application and your identity provider, you can enable it. For detailed instructions, refer to the relevant section in your application’s Single Sign-On support documentation.
Enforce Single Sign-On
After configuring at least one single sign-on connection, you can disable the standard authentication methods. This will remove the ability for administrators in your tenant to authenticate via email/password, Google Sign-In, or Office 365 Sign-In.
Add a User to the Application
- Add a New User:
Navigate to the user management section of your application.
Click New User or a similar option to add a user. - Fill in User Information:
Enter the required user details. Ensure this user exists in your identity provider and is assigned to the SSO application. - Submit the User Information:
Click Submit or Add to create the user. - Verify User Addition:
Refresh the user management page to see the newly added user. The user should receive an email invitation to accept and log in using the new SAML SSO connection.
Conclusion
Azure Entra ID is more than just a cloud-based version of Active Directory; it serves various purposes. Active Directory excels at managing traditional on-premises infrastructure and applications, whereas Azure AD specializes in managing user access to cloud applications. You can use both in tandem or if you prefer a fully cloud-based experience, you can opt for Azure AD alone. The choice largely depends on your specific service needs, which we have already covered in our discussion of their differences.
