Jet Mariano

What is SAML and How to Configure It?

Written by

jetnmariano

in

Introduction to SAML

Security Assertion Markup Language (SAML) is an XML-based authentication standard used for Single Sign-On (SSO). It allows users to log in once and access multiple applications without entering credentials repeatedly.

Why Use SAML?

  • Enhanced Security: SAML enables authentication via an identity provider (IdP) rather than storing credentials in multiple applications.
  • SSO Capabilities: Users only log in once to access different apps.
  • Interoperability: Works across various identity providers and service providers.

How SAML Works

  1. User Requests Access: The user tries to access an application (Service Provider – SP).
  2. Redirect to Identity Provider (IdP): The user is redirected to the IdP for authentication.
  3. Authentication & Assertion: The IdP verifies credentials and sends a SAML assertion (authentication token) back.
  4. User Gains Access: The SP validates the assertion and grants access.

How to Configure SAML Authentication in Entra ID

To set up SAML-based authentication in Entra ID, follow these steps:

Step 1: Register an Enterprise Application

  1. Go to Microsoft Entra ID in the Azure Portal.
  2. Navigate to Enterprise Applications > New Application.
  3. Select Non-gallery application and provide a name for your app.
  4. Click Create.

Step 2: Configure Single Sign-On (SSO)

  1. In the newly created app, go to Single sign-on.
  2. Choose SAML as the authentication method.
  3. Configure the Basic SAML Configuration:
    • Identifier (Entity ID): https://yourapp.com
    • Reply URL (Assertion Consumer Service URL): https://yourapp.com/sso/callback
    • Sign-on URL: https://yourapp.com/login
  4. Click Save.

Step 3: Download & Share SAML Metadata

  • Download the Federation Metadata XML from the SAML Signing Certificate section.
  • Provide this XML file to the Service Provider (SP) to complete the integration.

Step 4: Assign Users to the Application

  1. Go to Users and Groups in the Enterprise Application.
  2. Assign users who should have access to the app.

Step 5: Test SSO

  1. Click on Test SSO in the SAML settings.
  2. Ensure authentication is successful and users can log in.

Configuring SAML in Entra ID Using PowerShell

You can automate the setup using PowerShell with the Microsoft Graph API.

Step 1: Connect to Microsoft Graph
powershellCopyEditConnect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
Step 2: Register an Enterprise Application
powershellCopyEdit$enterpriseApp = New-MgServicePrincipal -AppId "00000003-0000-0000-c000-000000000000"
Step 3: Configure SAML SSO
powershellCopyEdit$sp = Get-MgServicePrincipal -Filter "DisplayName eq 'YourAppName'"

# Set SAML properties
Update-MgServicePrincipal -ServicePrincipalId $sp.Id -PreferredTokenSigningKeyThumbprint "YourThumbprint"
Step 4: Assign Users
powershellCopyEdit$user = Get-MgUser -UserPrincipalName "[email protected]"
New-MgUserAppRoleAssignment -UserId $user.Id -ResourceId $sp.Id -AppRoleId "Role ID"

Conclusion

SAML authentication provides a secure and efficient way for users to authenticate with multiple applications using a single sign-on (SSO) process. Configuring SAML in Microsoft Entra ID enhances security, simplifies user access, and integrates seamlessly with cloud-based applications.

Entra ID App Registration – Introduction, Purpose, and PowerShell Guide

Introduction

Microsoft Entra ID (formerly known as Azure AD) is the identity and access management (IAM) solution for Microsoft cloud services. App registration in Entra ID is essential for integrating applications with Entra ID, enabling authentication and authorization for users and services.

Purpose of Entra ID App Registration

Entra ID App Registration allows developers and IT admins to:

  • Enable secure authentication for applications.
  • Configure permissions for Microsoft Graph and other APIs.
  • Use OAuth 2.0 and OpenID Connect for secure authentication.
  • Enable multi-tenant access for applications.

By registering an app, you establish its identity with Entra ID, allowing it to authenticate users and access resources.

Creating an Entra ID App Registration Using PowerShell

To create an app registration in Entra ID using PowerShell, follow these steps:

Prerequisites

  • You must have AzureAD or Microsoft.Graph PowerShell module installed.
  • You need Global Administrator or Application Administrator permissions.

Steps to Create an App Registration Using PowerShell

Step 1: Install and Connect to Microsoft Graph PowerShell
powershellCopyEdit# Install the Microsoft Graph PowerShell module if not installed
Install-Module Microsoft.Graph -Scope CurrentUser

# Connect to Entra ID with the required permissions
Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
Step 2: Create the App Registration
powershellCopyEdit# Define the application name
$appName = "MyEntraApp"

# Register the application
$app = New-MgApplication -DisplayName $appName

# Output the app details
$app
Step 3: Create a Service Principal for the App
powershellCopyEdit# Create a service principal to enable authentication for the app
$sp = New-MgServicePrincipal -AppId $app.AppId

# Output the service principal details
$sp
Step 4: Assign API Permissions
powershellCopyEdit# Define API permissions
$graphPermission = @{
    "resourceAppId" = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
    "resourceAccess" = @(@{"id"="Role ID";"type"="Role"})  # Replace Role ID with the specific permission ID
}

# Assign permissions to the app
Update-MgApplication -ApplicationId $app.Id -RequiredResourceAccess $graphPermission
Step 5: Generate a Client Secret
powershellCopyEdit# Create a client secret for the application
$clientSecret = Add-MgApplicationPassword -ApplicationId $app.Id -DisplayName "MySecret"

# Output client secret details
$clientSecret
Step 6: Retrieve the App Details
powershellCopyEditWrite-Host "Application ID: $($app.AppId)"
Write-Host "Service Principal ID: $($sp.Id)"
Write-Host "Client Secret: $($clientSecret.SecretText) (Copy this as it won't be retrievable again!)"

Conclusion

By following these steps, you have successfully registered an application in Microsoft Entra ID using PowerShell. This setup allows your app to authenticate users, request API permissions, and securely interact with cloud resources.

More posts

error: Content is protected !!