Azure AD Connect: Single Sign-On with SAML 2.0 IdP - Azure - Microsoft (2023)

This document provides information on using SP-Lite, a SAML 2.0 compliant profile-based identity provider, as your preferred Security Token Service (STS)/Identity Provider. This scenario is useful when you already have a local user directory and password store that can be accessed using SAML 2.0. This existing user directory can be used to sign in to Microsoft 365 and other resources secured by Azure AD. SAML 2.0 SP-Lite profiles are based on the widely used Security Assertion Markup Language (SAML) identity federation standard to provide a login structure and attribute exchange.

Microsoft supports this sign-in experience as an integration of Microsoft cloud services (such as Microsoft 365) with properly configured SAML 2.0 profile-based identity providers. The SAML 2.0 Identity Provider is a third-party product, and therefore Microsoft does not support best practice implementation, configuration, or troubleshooting of it. Once the SAML 2.0 identity provider integration is properly configured, you can test the configuration using the Microsoft Connectivity Analyzer tool, described in more detail below. For more information on identity providers based on SAML 2.0 SP-Lite profiles, please contact the organization providing it.

All other clients are unavailable in this SAML 2.0 identity provider login scenario. For example, a Lync 2010 desktop client cannot log in to a service using a SAML 2.0 identity provider configured for single sign-on.

Azure AD SAML 2.0 requirements

This document details the protocol and message format requirements that a SAML 2.0 identity provider must implement in order to federate with Azure AD to support sign-in to one or more Microsoft cloud services (such as Microsoft 365). The SAML 2.0 (SP-STS) subsidiary of the Microsoft cloud service used in this scenario is Azure AD.

We recommend ensuring that the output message from the SAML 2.0 identity provider is as similar as possible to the sample trace provided. Wherever possible, the specified attribute values ​​in the provided Azure AD metadata are also used. Once you are satisfied with the output message, you can test it using the Microsoft Connectivity Analyzer as described below.

Azure AD metadata can be downloaded from this URL:https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xmlFor China customers using China-specific Microsoft 365 instances, please use the following federation endpoint:https://nexus.partner.microsoftonline-p.cn/federationmetadata/saml20/federationmetadata.xml.

SAML protocol requirements

This section details how to combine request and response message pairs to help format messages properly.

Azure AD can be configured to work with an identity provider using a SAML 2.0 SP Lite profile with the following requirements. With sample SAML request and response messages and automated and manual testing, you can work towards interoperability with Azure AD.

signature block requirements

In a SAML response message, the Signature node contains information about the digital signature of the message itself. Signature blocks have the following requirements:

1. The assertion node itself must be signed
2. RSA-sha1 algorithm should be used as DigestMethod. Other digital signature algorithms are not accepted.
3. You can also sign XML documents.
4. The conversion algorithm must match the values ​​in the following examples:
5. The SignatureMethod algorithm should match the following example:

Support Links

Links are necessary communication parameters related to transport. The following requirements apply to binding

1. HTTPS is a mandatory transport.
2. Azure AD requires HTTP POST to send the token during login.
3. Azure AD will use HTTP POST to make an authentication request to the identity provider and REDIRECT to send a logout message to the identity provider.

required attribute

This table lists the requirements for specific attributes in SAML 2.0 messages.

Sample SAML request and response messages

Shows a pair of request and response messages for the login message exchange. Below is a sample request message sent from Azure AD to a sample SAML 2.0 identity provider. An example of a SAML 2.0 identity provider is Active Directory Federation Services (AD FS) configured to use SAML-P. Interoperability testing with other SAML 2.0 identity providers has also been done.

 Urn: Federation: Microsoft Online  

Below is a sample response message sent to Azure AD/Microsoft 365 from a sample SAML 2.0 compliant identity provider.

 http://WS2012R2-0.contoso.com/adfs/services/trust    http://WS2012R2-0.contoso.com/adfs/services/trust   < ds:URI de referencia="#_7e3c1bcd-f180-4f78-83e1-7680920793aa">     CBn/5YqbheaJP425c0pHva9PhNY=   TciWMyHW2ZODrh/2xrvp5gg mcHBFEd9vrp6DYXp +hZWJzmXMmzwmwS8KNRJKy8H7XqBsdELA1Msqi8I3TmWdnoIRfM/ZAyUppo8suMu6Zw+boE32hoQRnX9EWN/f0vH6zA/YKTzrjca 6JQ8gaV 1ErwvRWDpyMcwdYCiWALv9ScbkAcebOE 1s1JctZ5RBXggdZWrYi72X+I4i6WgyZcIGai/rZ4v2otoWAEHS0y1yh1qT7NDPpl/McDaTGkNU6C+8VfjD78DrUXEcAfKvPgKlKrOM ZnD1lCGsViimGY+ LSuIdY45MLmyaa5UT4KWph6dA==   MIIC7jCCAdagAwIBAgIQRrjsbFPaXIlOG3GTv50fkjANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhBREZTIFNpZ25pbmcgLSBXUzIwMTJSMi0wLnN3aW 5mb3JtZXIuY29tMB4XDTE0MDEy MDE1MTY0MFo XDTE1MDEyMDE1MTY0MFowMzExMC8GA1UEAxMoQURGUyBTaWduaW5nIC0gV1MyMDEyUjItMC5zd2luZm9ybWVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQ oCggEBAKe+rLVmXy1QwCwZ wqgbbp1/+3ZW xd9T/jV0hpLIIWr+LCOHqq8n8beJvlivgLmDJo8f+EITnAxWcsJUvVai/35AhHCUq9tc9sqMp5PWtabAEMb2AU72/QlX/72D2/NbGQq 1BWYbqUpgpCZ2nSgvlWDHlC iUo//UGsvfox0 1kjTFlmqQInsJVfRxF5AcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAi8c6C4zaTEC7aQiUgvnGQgCbMZbhUXXLGRpjvFLKaQzkwa9eq7WLJibcSNyG XBa/Sft5wJgsm3TPKgSehGA OTirhcqHheZyvBObASc Y7GOT+u9pVYp6raFrc7ez3c+CGHeV/tNvy1hJNs12FYH4X+ZCNFIT9tprieR25NCdi5SWUbPZL0tVzJsHc1y92b2M2FxqRDohxQgJvyJOpcg 2mSBzZZIkvDg7gfPS UXHVS1MQs0RHSbwq/XdQoc UUhl9/e/YWCbNNxlM84BxFsBUok1dH / gzBySx+Fc8zYi7cOq9yaBT3RLT6cGmFGVYZJW4FyhPZOCLVNsLlnPQcX3dDg9A==     ABCDEG1234567890       Urn: Federation: Microsoft Online    administrador@contoso.com     urn : oasis : names : tc : SAML : 2.0 : ac : classes : PasswordProtectedTransport    

Configure a SAML 2.0 Compliant Identity Provider

This section provides guidance on how to configure a SAML 2.0 identity provider to federate with Azure AD to allow SAML 2.0 single sign-on access to one or more Microsoft cloud services, such as Microsoft 365. The SAML 2.0 relying party for the Microsoft cloud service used in this scenario is Azure AD.

Your SAML 2.0 identity provider must honor the Azure AD relying party information. Azure AD publishes metadata tohttps://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml.

It is recommended to always import the latest metadata from Azure AD when configuring a SAML 2.0 identity provider.

Add Azure AD as a relying party

You must enable communication between the SAML 2.0 identity provider and Azure AD. This setting will depend on your specific identity provider and you should refer to the documentation. Typically, the relying party ID is the same as the entity ID in the Azure AD metadata.

Install Windows PowerShell to log in with a SAML 2.0 identity provider

After configuring the SAML 2.0 identity provider for Azure AD login, the next step is to download and install the Azure Active Directory Module for Windows PowerShell. Once installed, these cmdlets will be used to configure an Azure AD domain as a federated domain.

The Azure Active Directory Module for Windows PowerShell is a download for managing organizational data in Azure AD. This module installs a set of cmdlets in Windows PowerShell; run these cmdlets to configure single sign-on access to Azure AD and then to all subscribed cloud services. For instructions on how to download and install the cmdlets , see/poprzednie-wersje/azure/jj151815(v=azure.100)

Configure a trust relationship between a SAML identity provider and Azure AD

Before configuring federation in an Azure AD domain, you must configure a custom domain. The default domain provided by Microsoft cannot be federated. Microsoft's default domain ends with "onmicrosoft.com." Run a series of cmdlets in the Windows PowerShell CLI to add or switch domains for single sign-on.

Every Azure Active Directory domain that is to be federated with a SAML 2.0 identity provider must be added as a single sign-on domain or converted from a standard domain to a single sign-on domain. Adding or converting a domain establishes a trust relationship between the SAML 2.0 identity provider and Azure AD.

The following procedure will guide you in converting an existing standard domain to a federated domain using SAML 2.0 SP-Lite.

Configure domains in the Azure AD directory for federation

1. Connect to the Azure AD directory as a tenant administrator:

Connect to MsolService

2. Configure the required Microsoft 365 domains to use federation with SAML 2.0:

$dom = "contoso.com" $BrandName = "Proveedor de identidad SAML 2.0 de muestra" $LogOnUrl = "https://WS2012R2-0.contoso.com/passiveLogon" $LogOffUrl = "https://WS2012R2-0. contoso.com/passiveLogOff" $ecpUrl = "https://WS2012R2-0.contoso.com/PAOS" $myURI = "urn:uri:MySamlp2IDP" $MySigningCert = "MIIC7jCCAdagAwIBAgIQRrjsbFPaXIlOG3GTv50fkjANBgkqhkiG9w0BAQsFADAz MTEw LwY DV MC5zd Zm9yb WVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKe+rLVmXy1QwCwZwqgbbp1/kupQ VcjKuKLitVDbssFyqbDTjP7WRjlVMWAHBI3kgNT7oE362Gf2 WMJFf1b0Hcrsg Lin7daR Xpq4Qi6OA57 sW1YFMj3sqyuTP0eZV3S4+ ZbDVob6amsZIdIwxaLP9Zfywg2bLsGnVldB0+XKedZwDbCLCVg+ 3ZWxd9 T/jV0hpLIIWr+LCOHqq8n8beJvlivgLmDJo8f+EITnAxWcs JU vVai/35AhHCUq9tc9sqMp5PWtabAEM b2 AU72/QlX/72D2/NbGQq1BWYbqUpgpCZ2nSgvlWDHlCiUo// UGsvfox01kjTFlmqQInsJVfRxF5AcC AwEAATANBgkqhkiG9w0BAQsFAAOCAQ EAi8c 6C4zaTEc7aQiUgvnGQgCbMZbhUXXLGRp jvFLKaQzkwa9 eq7WLJibcSNyGXBa/Sft5wJgsm3TPKgSehGAOTirhcqH heZyvBObAScY7GOT+u9pVYp6raFrc7ez3c+ CGHeV/tNvy1hJNs12FY H4X+Z CNFIT9tprieR25NCdi5SWUbPZL0tVzJsHc1 s0RHSbwq/XdQocUUhl9/e/YWCbNNxlM84BxFsBUok1dH/ gzBy Sx+ Fc8zYi7cOq9yaBT3RLT6cGmFGVYZJW4FyhP ZOCLVNsLlnPQcX3dDg9A== " $uri = " http://WS2012R2-0.contoso.com/adfs/services/trust" $Protocol = "SAMLP" 设置-MsolDomainAuthentication ` -DomainName $dom ` -Federation BrandName $Brand Nombre ` -Autenticación federada ` -PassiveLogOnUri $ LogOnUrl ` -ActiveLogOnUri $ecpUrl ` -SigningCertificate $MySigningCert ` -IssuerUri $MyURI ` -LogOffUri $LogOffUrl ` -PreferredAuthenticationProtocol $Protocol

3. The base64-encoded string of the signing certificate can be obtained from the identity provider's metadata file. An example of this location is provided, but it may vary slightly by implementation.

    MIIC5jCCAc6gAwIBAgIQLnaxUPzay6ZJsC8HVv/QfTANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBmcy50ZWNobGFiY2VudHJhbC5vcmcw HhcNMTMxMTA0MTgxMzMyWhc NMTQxMT A0MTgxMzMyWjAvMS0wKwYDVQQQDEyRBREZTIFNpZ25pbmcgLSBmcy50ZWNobGFiY2VudHJhbC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwM dVLTr5YTSRp+ccbSpuufeXM fABD9mVCi 2wtkRwC30TIyPdORz642MkurdxdPCWjwgJ0HW6TvXwco9afH3OC5V//wEGDoNcI8PV4enCzTYFe/h//w51uqyv48Fbb3lexs+aVl8155OAj2sO9IX 64OJWKey82GQWK3g7Lfh WWpp17j5b KpSd9DBH5pvrV+Q1ESU3mx71TEOvikHGCZYiteEPywNeVMLRKrevdWI3FAhFjcCSO6nWDiMqCqiTDYOURXIcHVYTSof1YotkJ4tG6mP5Kpjzd4VQvnR7Pjb 47nhIYG6iZ3mR1F8 5Ns9+hBWukQWNN 2hcD/uGdPXhpdMVpBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAK7h7jF7wPzhZ1dPl4e+XMAr8I7TNbhgEU3+oxKyW/IioQbvZVw1mYVCbGq9Rsw4 KE06eSMybqHln 3w5EeBbLS0MEkApqHY+ p68iRpguqa+W7UHKXXQVgPMCpqxMFKonX6VlSQOR64FgpBme2uG+LJ8reTgypEKspQIN0WvtPWmiq4zAwBp08hAacgv868c0MM4WbOYU0rzMIR6Q +ceGVRImlCwZ5b 7XKp4mJZ9hlaRjeuyV rDuzBkzROSurX1OXoci08yJvhbtiBJLf3uPOJHrhjKRwIt2TnzS9ElgFZlJiDIA26Athe73n43CT0af2IG6yC7e6sK4L3NEXJrwwUZk=   

For more information about 'Set-MsolDomainAuthentication', see:/poprzednie-wersje/azure/dn194112(v=azure.100).

Once federation is configured, it is possible to switch back to "non-federated" (or "managed") mode; however, this change can take up to two hours and requires each user to be assigned a new random cloud login password. In some cases, you may need to go back to Admin to reset errors in the settings. For more information on domain transitions, see:/poprzednie-wersje/azure/dn194122(v=azure.100).

Provision user principals in Azure AD/Microsoft 365

Before users can authenticate to Microsoft 365, Azure AD must be provisioned with a user principal that matches the SAML 2.0 assertion assertion. If these principals are not known to Azure AD in advance, they cannot be used for federated login. You can use Azure AD Connect or Windows PowerShell to provision user principals.

Azure AD Connect can be used to provision security principals from on-premises Active Directory to domains in the Azure AD directory. For more details, seeIntegrate on-premises directories with Azure Active Directory.

Windows PowerShell can also be used to automatically add new users to Azure AD and synchronize changes in the on-premises directory. To use the Windows PowerShell cmdlets, you must download the取模 Azure Active Directory.

This procedure shows you how to add a single user to Azure AD.

1. Connect to the Azure AD directory as a tenant administrator: Connect-MsolService.

2. Create a new username:

   New-MsolUser ` -UserPrincipalName elwoodf1@contoso.com ` -ImmutableId ABCDEFG1234567890 ` -DisplayName "Elwood Folk" ` -FirstName Elwood ` -LastName Folk ` -AlternateEmailAddresses "Elwood.Folk@contoso.com" ` -UsageLocation "US"

For more information on the "New-MsolUser" checkout process,/poprzednie-wersje/azure/dn194096(v=azure.100)

Authenticating single sign-on using a SAML 2.0 identity provider

As an administrator, before authenticating and managing single sign-on (also known as federated identities), review and follow the steps in the following articles to configure single sign-on using a SAML 2.0 SP-Lite-based identity provider:

1. You have reviewed the Azure AD SAML 2.0 protocol requirements
2. You have configured a SAML 2.0 Identity Provider
3. Install Windows PowerShell for single sign-on with a SAML 2.0 identity provider
4. Configure a trust relationship between a SAML 2.0 identity provider and Azure AD
5. You shared a known test username with Azure Active Directory (Microsoft 365) through Windows PowerShell or Azure AD Connect.
6. Configure directory synchronizationAzure AD connection.

After configuring single sign-on with a SAML 2.0 SP-Lite based identity provider, you need to verify that it is working correctly.

Use this tool to verify that single sign-on is set up correctly

To verify that single sign-on is set up correctly, you can complete the following procedure to confirm that you can log in to the cloud service using your corporate credentials.

Microsoft provides a tool that you can use to test SAML 2.0-based identity providers. Before running the test harness, you must configure your Azure AD tenant to federate with your identity provider.

1. downloadConnectivity Analyzer.

2. Click Install Now to start downloading and installing the tool.

3. Select I can't federate with Office 365, Azure, or other services that use Azure Active Directory.

4. After downloading and running the tool, you will see the connection diagnostic window. The tool will guide you through testing federated connections.

5. Connectivity Analyzer will open your SAML 2.0 identity provider to log in and enter the subject credentials of the user you are testing:

   

6. In the Federation Test Login window, enter the account name and password of the Azure AD tenant configured to federate with the SAML 2.0 identity provider. The tool will attempt to log in using these credentials, and detailed results of the tests performed during the login attempt will be provided as output.

   

7. This window displays the results of failed tests. Clicking View Detailed Results displays information about the results of each test performed. You can also save the results to disk for sharing.

Manually verify that single sign-on is set up correctly

Manual authentication provides additional steps you can take to ensure that your SAML 2.0 identity provider is working correctly in many cases. To verify that single sign-on is set up correctly, follow these steps:

1. On a domain-joined computer, log in to the cloud service using the same login you use with your company credentials.
2. Click inside the password field. If single sign-on is configured, the password field will be grayed out and you will see the following message: "You must now log in to”。
3. Click on the login link.If you can log in, you have set up single sign-on.

Next step

• Manage and customize Active Directory Federation Services with Azure AD Connect
• Azure AD Federation Compatibility Matrix
• Custom installation of Azure AD Connect