Unlock Black Friday Savings: Flat 20% Off on IAM, CIAM, & PAM Licenses - Claim Now
 +1 978 658 9387    Login  
Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Configure Microsoft Entra ID as SAML or OAuth IDP for SSO

miniOrange Identity Broker service solution enables cross protocol authentication. You can configure Microsoft Entra ID (Formerly Azure AD) as an IDP for Single Sign-On (SSO) into your applications/websites. Here, Microsoft Entra ID (Formerly Azure AD) will act as an Identity Provider (IDP) and miniOrange will act as a broker.

We offer a pre-built solution for integrating with Microsoft Entra ID (Formerly Azure AD), making it easier and quick to implement. Our team can also help you set up Microsoft Entra ID (Formerly Azure AD) as SAML or OIDC IDP to login into your applications.

Get Free Installation Help


miniOrange offers free help through a consultation call with our System Engineers to configure SSO for different apps using Microsoft Entra ID (Formerly Azure AD) as IDP in your environment with 30-day free trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you in no time.



Prerequisites

Please make sure your organisation branding is already set under Customization >> Login and Registration Branding in the left menu of the dashboard.


Follow the Step-by-Step Guide given below for Microsoft Entra ID (Formerly Azure AD) SSO

1. Configure miniOrange as SP in Microsoft Entra ID (Formerly Azure AD)

Mentioned below are steps to configure Microsoft Entra ID (Formerly Azure AD) as IDP via SAML and OAuth configuration. Follow the steps accordingly based on your requirement (SAML or OAuth).


  • Go to miniOrange Admin console and navigate to Identity Providers in the left navigation menu. Then, click on Add Identity Provider button.
    • Azure AD as IDP: Add Identity Provider

  • Now click on the Click here link to get miniOrange metadata as shown in Screen below.
    • Microsoft Entra ID (Formerly Azure AD) IDP : Get miniorange metadata

  • For SP - Initiated SSO section, select Show Metadata Details.
    • Microsoft Entra ID (Formerly Azure AD) SAML IDP : SP intiated Metadata

  • Click on Download Metadata.
    • Microsoft Entra ID (Formerly Azure AD) SSO : SAML attributes

  • Now Log in to Microsoft Entra ID (Formerly Azure AD) Portal.
  • Select Microsoft Entra ID (Formerly Azure AD).
    • Configuring Microsoft Entra ID (Formerly Azure AD) as IDP click on Microsoft Entra ID (Formerly Azure AD)

  • Select Enterprise Application.
    • Microsoft Entra ID (Formerly Azure AD) as IDP : Enterprise Applications

  • Click on New Application.
    • Microsoft Entra ID (Formerly Azure AD) as IDP : Adding New Application

  • Click on Create your own Application under Browse Microsoft Entra ID (Formerly Azure AD) Gallery.
    • Microsoft Entra ID (Formerly Azure AD) SAML IDP : Create application

  • Enter the name for your app, then select Non-gallery application section and click on Create button.
    • Microsoft Entra ID (Formerly Azure AD) IDP : Non-gallery application

  • Click on Set up single sign on.
    • Microsoft Entra ID (Formerly Azure AD) Identity Provider : Setup SSO

  • Select the SAML tab.
    • Microsoft Entra ID (Formerly Azure AD) as IDP : Select SAML

  • Upload the downloaded metadata file in Metadata tab to get the Entity ID, ACS URL, and the Single Logout URL from miniOrange.
    • Microsoft Entra ID (Formerly Azure AD) as IDP : SAML configuration

  • By default, the following Attributes will be sent in the SAML response. You can view or edit the claims sent in the SAML response to the application under the Attributes tab.
    • Microsoft Entra ID (Formerly Azure AD) as IDP : SAML attributes

  • Copy the App Federation Metadata Url or Download the Federation Metadata XML file to get the Endpoints required for configuring your Service Provider.
    • Microsoft Entra ID (Formerly Azure AD) SSO : Federation metadata file

  • Assign users and groups to your SAML application.
    • As a security control, Microsoft Entra ID (Formerly Azure AD) will not issue a token allowing a user to sign in to the application unless Microsoft Entra ID (Formerly Azure AD) has granted access to the user. Users may be granted access directly, or through group membership.
    • Navigate to Users and groups tab and click on Add user/group.
      • Microsoft Entra ID (Formerly Azure AD) SAML IDP : Assign groups and users

    • Click on Users to assign the required user and then click on select.
      • Microsoft Entra ID (Formerly Azure AD) Identity Provider : Add users

    • You can also assign a role to your application under Select Role section. Finally, click on Assign button to assign that user or group to the SAML application.
  • Go to miniOrange Admin Console.
  • From the left navigation bar select Identity Providers >> click Add Identity Provider.
    • Microsoft Entra ID (Formerly Azure AD) SSO : Go to Identity Providers

  • Select OAuth 2.0 and copy the OAuth Callback URL which we will use to configure Microsoft Entra ID (Formerly Azure AD) as OAuth Server/Provider.
    • Microsoft Entra ID (Formerly Azure AD) Single Sign On : Select OAuth 2.0

  • Now log in to Microsoft Entra ID (Formerly Azure AD) Portal.
  • Select Microsoft Entra ID (Formerly Azure AD).
    • Select Microsoft Entra ID (Formerly Azure AD)

  • In the left-hand navigation pane, click on Manage >> App registrations.
    • Microsoft Entra ID (Formerly Azure AD) SAML IDP : Go to Manage > App registrations

  • Click on New registration.
    • Microsoft Entra ID (Formerly Azure AD) SAML IDP : Click on New registration

  • When the Register an application page appears, enter your application's registration information.
    • Name: Name of the application.
    • Supported account types: Select one of the listed options as per your choice. You can also refer to Help me choose an option if needed.
    • Select a Platform: select Web as a platform and paste the copied Callback / Redirect URL (which we copied in the above step) in the Redirect URI text field.
  • Click on Register.
    • Microsoft Entra ID (Formerly Azure AD) IDP : Adding New Application

  • Microsoft Entra ID (Formerly Azure AD) assigns a unique Application ID to your application. The Application ID is your Client ID and the Directory ID is your Tenant ID, keep these values handy as you will need them to configure the service provider.
    • Microsoft Entra ID (Formerly Azure AD) SSO : Copy Application ID and Directory ID

  • In the left navigation panel, go to Manage >> Certificates & Secrets.
    • Microsoft Entra ID (Formerly Azure AD) SAML IDP : Go to Manage > Certificates & Secrets

  • Click on New Client Secret. Enter Description and Expires time from dropdown and click on Add option.
    • Microsoft Entra ID (Formerly Azure AD) SAML IDP : Click New Client secret

  • Copy the secret key Value and save it, as you'll need it later in Step 2 to configure the Client Secret in the miniOrange Service Provider.
    • Microsoft Entra ID (Formerly Azure AD) IDP : Copy Secret Value it's your client secret

  • Then, go to Overview >> Endpoints, and copy the OAuth 2.0 authorization endpoint and OAuth 2.0 token endpoint, as they will be requited later.
    • Microsoft Entra ID (Formerly Azure AD) IDP : Go to Overview > click Endpoints

2. Configure Microsoft Entra ID (Formerly Azure AD) as IDP in miniOrange


  • Go to miniOrange Admin Console.
  • From the left navigation bar select Identity Providers.
  • Click on Add Identity Provider button.
    • Add Identity Provider to configure SSO

  • Select SAML. Click on Import IDP metadata.
    • Select SAML to configure Microsoft Entra ID (Formerly Azure AD) as IDP

  • Choose an appropriate IDP name. Enter the URL which you have saved in the previous step from Microsoft Entra ID (Formerly Azure AD).
  • Click on Import.
    • Microsoft Entra ID (Formerly Azure AD) as IdP Import Data

  • As shown in the below screen the IDP Entity ID, SAML SSO Login URL and x.509 Certificate will be filled from the Metadata url we just imported.
    • Configuring Microsoft Entra ID (Formerly Azure AD) as IdP : SAML SSO Login URL and x.509 Certificate

  • Click Save.

    Follow the steps to configure Microsoft Entra ID (Formerly Azure AD) as IdP by OAuth configuration.

  • Go to miniOrange Admin Console.
  • From the left navigation bar select Identity Providers >> Add Identity Provider. Select OAuth 2.0.
    • Microsoft Entra ID (Formerly Azure AD) SSO : Select Identity Providers

    Select OAuth to setup Microsoft Entra ID (Formerly Azure AD) as IDP

  • Enter the following values.
    • IdP Name Custom Provider
    IdP Display Name Choose appropriate Name
    OAuth Authorize Endpoint https://login.microsoftonline.com/{tenant-id}/oauth2/authorize
    OAuth Access Token Endpoint https://login.microsoftonline.com/{tenant-id}/oauth2/token
    OAuth Get User Info Endpoint (optional) https://graph.microsoft.com/oidc/userinfo
    Client ID From step 1
    Client secret From step 1
    Scope openid email profile

3. Test Connection

  • Visit your Login Page URL.
  • Go to Identity Providers tab.
  • Click on Select >> Test Connection option against the Identity Provider (IDP) you configured.
    • Microsoft Entra ID (Formerly Azure AD)-IDP-TestConnection

  • On entering valid Microsoft Entra ID (Formerly Azure AD) credentials (credentials of user assigned to app created in Microsoft Entra ID (Formerly Azure AD)), you will see a pop-up window which is shown in the below screen.
    • SucessTestConn-Microsoft Entra ID (Formerly Azure AD)-IDP

  • Hence your configuration of Microsoft Entra ID (Formerly Azure AD) as IDP in miniOrange is successfully completed.

Note:

You can follow this guide, if you want to configure SAML/WS-FED, OAuth/OIDC, JWT, Radius etc


Configure Attribute Mapping

  • Go to Identity Providers >> View Identity Providers >> Your configured Microsoft Entra ID (Formerly Azure AD) as IdP.
  • Now click on Select and then Configure Attribute Mapping of your application.
    • Microsoft Entra ID (Formerly Azure AD) Single Sign-On SSO Select and Configure Attribute Mapping

  • Under Attribute Type - EXTERNAL for the external attributes that need to be transformed and sent to applications or service providers.
  • Click on the + Add Attribute button to add the attribute fields.
    • Microsoft Entra ID (Formerly Azure AD) Single Sign-On SSO Map External Attribute

  • Check attributes in test connection window from last step. Enter the attribute names (any name) that you want to send to your application under Attribute Name sent to SP.
  • Enter the value of attributes that are coming from IdP into the Attribute Name from IdP field on the Xecurify side.

Setup Multiple IDPs (Optional)

  • You can configure multiple IDPs (Identity Providers) and give users the option to select the IDP of their choice to authenticate with.
    For Example - It could be multiple AD domains belonging to different departments or multiple okta organizations.

    • Few usecases where customers configure multiple IDPs -

  • Suppose you have a product which many of your clients use and each client has their own unique IDP so you want them to SSO into your product as well using their existing IDP only. miniOrange provides a centralized way to connect with all IDPs in a very easy manner and integrate SSO into your application.
  • Suppose you are providing a course to many universities, each having a unique SAML, OAuth protocol supported IDP's like Shibboleth, ADFS, CAS, etc. You can provide Single Sign-On (SSO) into your course application to all these universities by integrating with all of them using a single platform provided by miniOrange.
  • This is the endpoint to call from your SAML application -
    • For Cloud IDP - https://login.xecurify.com/moas/discovery?customerId=<customer_id>
    For On-Premise IDP - https://yourdomain.com/discovery?customerId=<customer_id>

  • You should copy the Customer Key from admin console-> Settings -> and replace it with <customer_id> here. Once configured in SP, when you initiate the login from Service Provider, a user will be redirected to IDP Selection Page listing all IDPs configured for that account.

    • You can see the screenshot below of the IDP Selection Page with a list of IDPs.


    Note: To view the IDP in drop-down list, go to Identity Providers tab > against your configured IDP > Select >Edit , here Enable the Show IdP to Users option.

    Select your IDP (Identity Provider) to login

  • You also have the option to modify the appearance and design of this page. Login to miniOrange Admin console. Navigate to Customization -> Branding Configuration. See the below screenshot for reference-

    • Customize IDP selection login page

  • You can customize the title of this page.
  • Change the logo and favicon for this page.
  • Change the background and button color for this page from admin UI.

Troubleshooting

You receive these error message when you try to SSO in to an application that has been set up to use Microsoft Entra ID (Formerly Azure AD) as External IdP using SAML or OAuth based Single Sign-On (SSO).

Error AADSTS50105 - The signed in user is not assigned to a role for the application

Cause:

The user hasn't been granted access to the application in Microsoft Entra ID (Formerly Azure AD). The user must belong to a group that is assigned to the application, or be assigned directly.

Resolution:

To assign one or more users to an application directly, see Quickstart: Assign users to an app.

Error AADSTS50003 - No signing key configured

Cause:

The application object is corrupted and Microsoft Entra ID (Formerly Azure AD) doesn't recognize the certificate configured for the application.

Resolution:

To delete and create a new certificate, follow the steps below:

  • On the SAML-based SSO configuration screen, select Create new certificate under the SAML signing Certificate section.
  • Select Expiration date and then click Save.
  • Check Make new certificate active to override the active certificate. Then, click Save at the top of the pane and accept to activate the rollover certificate.
  • Under the SAML Signing Certificate section, click remove to remove the Unused certificate.

Error AADSTS50011 with SAML authentication - The reply URL specified in the request does not match

Cause:

The AssertionConsumerServiceURL value in the SAML request doesn't match the Reply URL value or pattern configured in Microsoft Entra ID (Formerly Azure AD). The AssertionConsumerServiceURL value in the SAML request is the URL you see in the error.

Resolution:

To fix the issue, follow these steps:

  • Ensure that the AssertionConsumerServiceURL value in the SAML request matches the Reply URL value configured in Microsoft Entra ID (Formerly Azure AD).
  • Verify or update the value in the Reply URL textbox to match the AssertionConsumerServiceURL value in the SAML request.

Error AADSTS650056 - Misconfigured application

Cause:

The Issuer attribute sent from miniOrange to Microsoft Entra ID (Formerly Azure AD) in the SAML request doesn’t match the Identifier value configured for the miniOrange in Microsoft Entra ID (Formerly Azure AD).

Resolution:

Ensure that the Issuer attribute in the SAML request matches the Identifier value configured in Microsoft Entra ID (Formerly Azure AD).

Verify that the value in the Identifier textbox matches the value for the identifier value displayed in the error.

Error AADSTS70001 - Application with Identifier was not found in the directory

Cause:

The Issuer attribute sent from the application to Microsoft Entra ID (Formerly Azure AD) in the SAML request doesn’t match the Identifier value that's configured for the application in Microsoft Entra ID (Formerly Azure AD).

Resolution:

Ensure that the Issuer attribute in the SAML request matches the Identifier value configured in Microsoft Entra ID (Formerly Azure AD).

On the SAML-based SSO configuration page, in the Basic SAML configuration section, verify that the value in the Identifier textbox matches the value for the identifier value displayed in the error. If there's a trailing slash at the end of the url, it should be also included.

Error AADSTS75005 - The request is not a valid Saml2 protocol message

Cause:

Microsoft Entra ID (Formerly Azure AD) doesn't support the SAML request sent by the miniOrange for single sign-on. Some common issues are:

  • Missing required fields in the SAML request.
  • SAML request encoded method.

Resolution:

Capture the SAML request in SAML Tracer.

Contact us and share the following info:

Problem when customizing the SAML claims sent to miniOrange

To learn how to customise the SAML attribute claims sent to your application, see Claims mapping in Microsoft Entra ID (Formerly Azure AD). And also, see below the attribute mapping in miniOrange.

In Azure portal, you can access the logs to verify successful logins. This will help establish a baseline for successful authentication. Whenever login access is denied, closely review the login attempts in the logs.

Activity click Sign in Logs

Addressing Login Issues Without Azure:

You can use the SAML-tracer extension for Chrome to diagnose and resolve SAML-related problems in Operations Hub. Follow these steps:

  • Install SAML-tracer: Add the SAML-tracer extension to your Chrome browser.
  • Access SAML-tracer: Open SAML-tracer from your browser extensions.
  • Reproduce the Issue: Log in to Operations Hub as you normally would to reproduce the SSO login issue.
  • Inspect SAML Messages: In SAML-tracer, look for POST messages
    • Select the specific POST message related to the SSO login attempt.
    • Next select the Summary tab for detailed information about the SAML attributes exchanged.
    • Review the SAML attribute names and values exchanged during the SSO attempt, and compare them against the expected values.
    • If you notice that the SAML group attribute names are incorrect (refer to screen shot), this could be the cause of the login issue.
      • SAML Tracer

    • Replace the incorrect attribute names with the correct ones to fix the login issue.

Retrieving Azure Login Screen:

In case you encounter a situation where the Azure login screen does not appear, then do the following to address this issue:

  • Check your SAML Azure configuration. Verify the group attribute name and the corresponding group name. Any mismatch in attribute names can lead to access issues.
  • Clear your browser cache and login again.

Additional Resources

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products

Single Sign-On

Seamless login for workforce and customer identity to cloud or on-premise apps

Learn more

Multi-factor Authentication

Secure access for identities with an additional layer of authentication

Learn more

Adaptive Authentication

Block or grant user access based on IP, Device, Time & Location

Learn more

Lifecycle Management

Manage & automate user provisioning and deprovisioning to apps

Learn More