Azure AD Connect: Use a SAML 2.0 identity provider for simple sign-in: Azure: Microsoft Sign in (2023)

This document provides information on using a SAML 2.0 compliant SP-Lite profile-based identity provider as a security token service (STS)/preferred identity provider. This script is useful when you already have an internal home directory and password store accessible with SAML 2.0. This existing user directory can be used to sign in to Microsoft 365 and other secure Azure AD resources. The SAML 2.0 SP-Lite profile builds on the widely used identity standard in Security Assertion Markup Language (SAML) to provide a framework for connecting and exchanging attributes.

Microsoft supports this sign-in experience as an integration of a Microsoft cloud service, such as Microsoft 365, with the properly configured IdP based on a SAML 2.0 profile. SAML 2.0 identity providers are third-party products, so Microsoft does not support implementation, configuration, and troubleshooting best practices. Once configured correctly, the integration with the SAML 2.0 identity provider can be tested for proper configuration using the Microsoft Connectivity Analyzer tool, described in more detail below. For more information on the SAML 2.0 SP-Lite profile-based identity provider, contact the organization that provided it.

All other clients are not available in this SAML 2.0 identity provider connection scenario. For example, the Lync 2010 desktop client cannot connect to the service if the SAML 2.0 identity provider is configured for single sign-on.

Requirements for the Azure AD SAML 2.0 protocol

This document provides detailed message format and protocol requirements that the SAML 2.0 identity provider must implement to integrate with Azure AD to enable connectivity to one or more Microsoft cloud services (such as Microsoft 365). The SAML 2.0 Relying Party (SP-STS) for a Microsoft cloud service used in this scenario is Azure AD.

It is recommended that you ensure that the output messages from the SAML 2.0 identity provider are as close as possible to the provided sample traces. Also use specific attribute values ​​from the provided Azure AD metadata where possible. Once you are satisfied with your output messages, you can test with Microsoft Connectivity Analyzer as described below.

Azure AD metadata can be downloaded from this URL:https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml.For customers in China using the Microsoft 365 China instance, the following unified endpoint should be used:https://nexus.partner.microsoftonline-p.cn/federationmetadata/saml20/federationmetadata.xml.

Frozen SAML protocol

This section describes how to create request and response message pairs to help you format your messages correctly.

Azure AD can be configured to work with identity providers using the SAML 2.0 SP Lite profile with some specific requirements listed below. Using sample SAML request and response messages, along with automated and manual tests, you can work on interop with Azure AD.

Signature block requirements

Within the SAML response message, the signature node contains digital signature information for the message itself. The signature block has the following requirements:

1. The assurance node itself must be signed
2. The RSA-sha1 algorithm should be used as the DigestMethod. Other digital signature algorithms are not accepted.
3. You can also sign the XML document.
4. The transformation algorithm must match the values ​​in the following example:
5. The SignatureMethod algorithm should match the following example:

supported links

The links are the necessary communication parameters related to the transport. The following requirements apply to promises

1. HTTPS is the required transport.
2. Azure AD requires HTTP POST to send tokens at login.
3. Azure AD uses HTTP POST for the authentication request to the identity provider and REDIRECT for the logout message to the identity provider.

Required features

This table shows the requirements for specific attributes in the SAML 2.0 message.

SAML Request and Response Message Examples

A pair of request and response messages appear for the connection messaging. The following is an example of a request message sent by Azure AD to a sample SAML 2.0 identity provider. The sample SAML 2.0 identity provider is Active Directory Federation Services (AD FS) configured to use the SAML-P protocol. Interoperability testing with other SAML 2.0 identity providers has also been performed.

 urn:federation:MicrosoftOnline  

The following is an example message response sent by the sample SAML 2.0 compliant identity provider in Azure AD/Microsoft 365.

 http://WS2012R2-0.contoso.com/adfs/services/trust     http://WS2012R2-0.contoso.com/adfs/services/trust    < ds:URI de referencia="#_7e3c1bcd-f180-4f78-83e1-7680920793aa">     CBn/5YqbheaJP425c0pHva9PhNY=   TciWMyHW2ZODrh/2xrvp5ggmcHBFEd9vrp6DY XP +hZWJzmXMmzwmwS8KNRJKy8H7XqBsdELA1Msqi8I3TmWdnoIRfM/ZAyUppo8suMu3XE2HW0z/bon rjca6JQ8gAV1ErwvRWDpyMcwdYCiWALv9Sc bkAcebOE1s1JctZ5RB XggdZWrYi72X+I4i6WgyZcIGai/rZ4v2otoWAEHS0y1yh1qT7NDPpl88FKvNfUDa PgKlKrOMZnD1lCGsViimGY+LSuIdY45MLmyaa5UT4KWph6dA==   MIIC7jCCAdagAwIBAgIQRrjsbFPaXIlOG3GTv50fkjANBgkqhkiG9w0BAQsFDAzMTEwLwYDVQQDEyhBREZTIFNpZ25pbmcgLSBXUzIwMTJSMi0ZMT4MBD3Mi0W5MbD3Mi0W5Mb1 yMDE1MTY0MFoXDTE1MDEyM DE1MTY0MFowMzExMC8GA1UEAxMoQURGUyBTaWduaW5nIC0gV1MyMDEyUjItMC5zd2luZm9ybWVyLmNvbTCCASIwDQYCADQNAggKoZEBCA Xy1QwCwZwqgbbp1/+3ZWxd9T/jV0hpLIIWr+LCOHqq8n8beJvlivg LmDJo8f+EITnAxWcsJUvVai/35AhHCUq9tc9sqMp5PWtabAEMb2XW72DQ1XW72DQ1QW2Q2Q1QBQ1Q1 nSgvlWDHlCiUo//UGsvfox01kjTFlmqQInsJVfRxF5AcCAwEAATANBgkqhkiG9w 0BAQsFAAOCAQEAi8c6C4zaTEc7aQiUgvnGQgCbMZbhUjkWFLXKS7SQeNJBhUXWXQSQe fT5wJ gsm3TPKgSehGAOTirhcqHheZyvBObAScY7GOT+u9pVYp6raFrc7ez3c+CGHeV/tNvy1hJNs12FYH4 X+ZCNFIT9tprieR25NCdi5SWUbPZL0tVYp6xJqJs mSBzZZIkvDg 7gfPSUXHVS1MQs0RHSbwq/XdQocUUhl9/e/YWCbNNxlM84BxFsBUok1dH /gzBySx+Fc8zYi7cOq9yaBT3RLT6cGmZWLPGVCV Si ==    ABCDEG1234567890       urn:federation:MicrosoftOnline     administrador@contoso.com     urn : oasis : names : tc : SAML : 2.0 : ac : classes : PasswordProtectedTransport    

Set up your SAML 2.0 compliant identity provider

This section provides guidance on how to configure your SAML 2.0 identity provider to combine with Azure AD to enable single sign-on access to one or more Microsoft cloud services (such as Microsoft 365) using the SAML 2.0 protocol. The SAML 2.0 relying party for a Microsoft cloud service used in this scenario is Azure AD.

The SAML 2.0 identity provider must comply with Azure AD relying party information. Azure AD publishes metadata tohttps://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml.

It is recommended to always import the latest metadata from Azure AD when configuring your SAML 2.0 identity provider.

Add Azure AD as a dependent party

You must enable communication between your SAML 2.0 identity provider and Azure AD. This configuration depends on the specific identity provider and you should refer to the documentation. Typically, you set the dependent ID to the same value as the Azure AD metadata entity ID.

Install the Windows PowerShell Identity Provider Connector for SAML 2.0

After configuring your SAML 2.0 identity provider for use with Azure AD sign-in, the next step is to download and install the Azure Active Directory Module for Windows PowerShell. Once installed, use these cmdlets to configure your Azure AD domains as federated domains.

The Azure Active Directory Module for Windows PowerShell is a download for managing your organization's data in Azure AD. This module installs a set of cmdlets in Windows PowerShell. Run these cmdlets to configure single sign-on access to Azure AD and then to all cloud services you've subscribed to. For instructions on how to download and install the cmdlets, see/versiones-anteriores/azure/jj151815(v=azure.100)

Establish a trust relationship between the SAML identity provider and Azure AD

Before federation can be configured in an Azure AD domain, a custom domain must be configured. You cannot merge the default domain provided by Microsoft. Microsoft's default domain ends in "onmicrosoft.com". Runs a series of cmdlets in the Windows PowerShell CLI to add or resolve individual login domains.

Any Azure Active Directory domain that you want to associate with the SAML 2.0 identity provider must be added as a login domain or converted to a single sign-on domain from a default domain. Adding or converting a domain establishes a trust relationship between the SAML 2.0 identity provider and Azure AD.

The following procedure will help you convert an existing default domain to a unified domain using SAML 2.0 SP-Lite.

Set up a domain in your Azure AD directory for federation

1. Sign in to your Azure AD directory as a tenant administrator:

Connect-MsolService

2. Configure your preferred Microsoft 365 domain to use federation with SAML 2.0:

$dom = "contoso.com" $BrandName = "Voorbeeld SAML 2.0 IDP" $LogOnUrl = "https://WS2012R2-0.contoso.com/passiveLogon" $LogOffUrl = "https://WS2012R2-0.contoso.com .com.com. /passiveLogOff" $ecpUrl = "https://WS2012R2-0.contoso.com/PAOS" $MyURI = "urn:uri:MySamlp2IDP" $MySigningCert = "MIIC7jCCAdagAwIBAgIQRrjsbFPaGKjqsqw0A DAzMTEwLwYDVQ QDEyh BREZTIFNpZ25 pbmcgLSBXUzIwMTJSMi0wLnN3aW5mb3JtZXIuY29tMB4XDTE0MDEyMDE1MTY0MFoXDT E1MDEyMDE1MTYExDT E1MDEyMDE1MTYExDT E1MDEyMDE1MTYExMowQuGaDuGaw5M1 IC0gV1MyMDEyUjItMC5zd2luZm 9yb WVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKe +rLVmXy1QwCwZwqgbbp1/kupQ VcjVQbHbTjPjKy 7oE362Gf2WMJFf1b0HcrsgLin7daRXpq 4Qi6OA57 sW1YFMj3sqyuTP0eZV3S4+ZbDVob6amsZIdIwxaLP9Zfywg2bLsGnVldB0 +XKedZwDbCLCVg+ 3ZWxd9 T/jV0hpLIIWr+LCOHqq8n8beJvlivgLmDJo8f+EITnAxWcsJUvVai/35AhHCUq9tc9sqMp5PWtabAEM b2AU72G2QBq2QBNXB2AHBQ2QBNXL SgvlWDHlCiUo//UG sv αλεπού01kjTFlmqQInsJVfRxF5AcC AweEAATANBgkqhkiG9w0BAQsFAAOCAQEAi8c6C4zaTEc7aQiUgvnGQgCbMZbhUXFRxF5AcC eAweEAATANBgkqhkiG9w0BAQsFAAOCAQEAi8c6C4zaTEc7aQ iUgvnGQgCbMZbhUXWFXLWSJQJp fT5wJgsm3TPKgSehGAOTirhcqHheZyvBOb AScY7GOT+u9pVYp6raFrc7ez3c+ CGHeV/tNvy1hJNs12FYH4X+ZCNFIT9tprieR25NCdi5SWUbPZL0tV2FxJqJs m SBzZZIkvDg7gfPSUXHVS1MQs0RHSbwq/XdQoc UUhl9/e/YWCbNNxlM84BxFsBUok1dH/gzΠόρτα Sx +Fc8zYi7cOq9yaBT3RLT6cGmFOCLFVClHZl= = " $uri = " http://WS2012R2-0.contoso.com/adfs/services/trust" $Protocol = "SAMLP" Set-MsolDomainAuthentication ` -DomainName $dom ` -FederationBrandName $BrandName ` -Autenticación Ομοσπονδ ιακή `OPa LogOnUrl ` -ActiveLogOnUri $ ecpUrl ` -SigningCertificate $MySigningCert ` -IssuerUri $MyURI ` -LogOffUri $LogOffUrl ` -PreferredAuthenticationProtocol $Protocol

3. You can get the base64-encoded signing certificate chain from the IDP metadata file. An example of this location is provided, but it may vary slightly depending on your implementation.

    MIIC5jCCAc6gAwIBAgIQLnaxUPzay6ZJsC8HVv/QfTANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBmcy50ZWNobHcmJcFiYbHMTv5 MyWhcNMTQxMTA0MTgxMzMyWjAvMS0wKwYD VQQDEyRBREZTIFNpZ25pbmcgLSBmcy50ZWNobGFiY2VudHJhbC5vcmcwggEiMA0GCSqGSIb3DQEBAQIQUAggwRt +ccbSpuuFeXMfABD9mVCi2wtkRwC30TIyPdORz642MkurdxdPCWjwgJ0HW6TvXwcO9 afH3OC5V//wEGDoncI8PV4enCzTYFe/h/h//w51uqyv858FBb3 82 ​​GQWK3g7LfhWWpp17j5bKpSd9DBH5pvrV+Q1ESU3mx71TEOvikHGCZYitEPywNeVMLRKrevdWI3FAhFjcCSO6nWDiMqCqiTDYOURXIc HVYTSof1p7YnhPJQ4KjnPjmV4TKjn4PJQ4Kjv4mV4 G6iZ3mR 1F85Ns9+hBWukQWNN2hcD/uGdPXhpdMVpBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAK7h7jF7wPzhZ1dPl4e+XMAr8I 7TNbhKyWZwYw4+ KE06eSMybqHln3w5Ee BbLS0MEkApqHY+p68iRpguqa+W7UHKXXQVgPMCpqxMFKonX6VlSQOR64FgpBme2uG+LJ8reTgypEKspQIN0WvtPWBgMv0Wr4hbA 6Q+ceGVRImlC wZ5b7XKp4 mJZ9hlaRjeuyVrDuzBkzROSurX1OXoci08yJvhbtiBJLf3uPOJHrhjKRwIt2TnzS9ElgFZlJiDIA26Athe73nIGs3CTWL=Athe73nIGs3KJw3   

For more information about "Set-MsolDomainAuthentication", see:/versiones-anteriores/azure/dn194112(v=azure.100).

Once federation is set up, you can switch back to "unfederated" (or "managed"), but this change takes up to two hours and requires assigning new random cloud-based login passwords to each user. In some scenarios, you may need to go back to "managed" to reset a bug in your settings. For more information on domain conversion, see:/versiones-anteriores/azure/dn194122(v=azure.100).

Provide basic user concepts for Azure AD/Microsoft 365

Before you can authenticate your users to Microsoft 365, you need to provide Azure AD with user principals that match the SAML 2.0 claim assertion. If these user principals are not known in advance in Azure AD, they cannot be used for federated sign-in. Azure AD Connect or Windows PowerShell can be used to provide user principals.

Azure AD Connect can be used to provision your domains to Azure AD Directory from your internal Active Directory. For more detailed information, seeIntegreer uw on-premises con Azure Active Directory.

Windows PowerShell can also be used to automate adding new users to Azure AD and syncing changes from the local directory. To use Windows PowerShell cmdlets, you must install theAzure Active Directory Modules.

This procedure shows you how to add a single user to Azure AD.

1. Connect to your Azure AD directory as a tenant administrator: Connect-MsolService.

2. Create a new user authority:

   Nuevo -msoluser `-userprincipalname elwoodf1@contoso.com` -immutableid abcdefg1234567890 `-displayname" eLwood folk "` -firstname elwood `-lastname folk` -Alatternailes "elwood.folk@contosocococoades

For more information on the "New-MsolUser" background,/versiones-anteriores/azure/dn194096(v=azure.100)

Verify single sign-on with your SAML 2.0 IDP

Before authenticating and managing single sign-on (also known as federated identity), as an administrator, you should review the information and complete the steps in the following articles to configure single sign-on with your SAML 2.0 SP-based identity provider. light:

1. You have reviewed the Azure AD SAML 2.0 protocol requirements
2. You have configured the SAML 2.0 identity provider
3. Install Windows PowerShell to simply connect to your SAML 2.0 identity provider
4. Establish a trust relationship between your SAML 2.0 identity provider and Azure AD
5. A well-known user proof authority provided in Azure Active Directory (Microsoft 365) via Windows PowerShell or Azure AD Connect.
6. Set up directory synchronization usingAzure AD connection.

After you configure single sign-on with your SAML 2.0 SP-Lite-based identity provider, make sure it works correctly.

Use the tool to check if single sign-on is set up correctly

To verify that single sign-on is set up correctly, you can perform the following procedure to confirm that you can connect to the cloud service using your corporate credentials.

Microsoft has provided a tool that you can use to test your SAML 2.0-based identity provider. Before running the tester, you must have configured an Azure AD tenant to federate with your identity provider.

1. download itConnectiviteitsanalysator.

2. Click Install Now to begin downloading and installing the tool.

3. Select "I can't integrate with Office 365, Azure, or other services that use Azure Active Directory."

4. Once the tool has been downloaded and run, you will see the Connectivity Diagnostics window. The tool guides you through testing your federation connection.

5. Connectivity Analyzer opens the SAML 2.0 IDP so that you can connect and enter the credentials of the primary user you are testing:

   

6. The Federation Connection Test window requires you to enter an account name and password for the Azure AD tenant that is configured to federate with the SAML 2.0 identity provider. The tool attempts to connect with these credentials, and detailed results of the tests run during the connection attempt are provided as output.

   

7. This window shows a failed test result. Clicking View Detailed Results displays information about the results of each test run. You can also save the results to disk for sharing.

Manually check if single sign-on is configured correctly

Manual verification provides additional steps you can take to ensure that your SAML 2.0 identity provider works correctly in many scenarios. Perform the following steps to ensure that single sign-on is configured correctly:

1. On a domain-joined computer, sign in to the cloud service with the same login name you use for your corporate credentials.
2. Click on the password box. If single sign-on is configured, the password box will be grayed out and the following message will appear: "You must now sign in to."
3. Click the Sign In link. If you can connect, a simple login is set up.

Next steps

• Manage and customize Active Directory federation services with Azure AD Connect
• Compatibility list for Azure AD federation
• Azure AD Connect custom configuration