Skip to main content

Tutorial: How to Configure SAML with Entra ID

Abstract

A step-by-step guide for configuring SAML authentication on Access Server with Microsoft Entra ID (formerly Azure AD).

Overview

Access Server 2.11 and newer supports authentication using SAML with Microsoft Entra ID as the identity provider. You can configure this in Entra ID with Access Server as your service provider.

The following steps walk you through enabling SAML authentication for users and groups from Entra ID to Access Server.

Prerequisites

You need the following to get started:

Step 1: Create the Entra ID SSO application

With Entra ID, you must create a custom SAML application for SSO.

Now that you have your SP information, you can create a new Entra ID SAML app and enter that information during app creation:

  1. Sign in to your Azure portal as a global administrator.

  2. Click to manage Microsoft Entra ID.

  3. Click Enterprise Applications from the menu.

  4. Click +New application.

    • You can browse or search the Microsoft Entra Gallery.

  5. Search for "SAML" and click SAML 1.1 Token enabled LOB App from the results.

  6. Click Create.

  7. After the application is created, click Set up Single Sign-On.

  8. Click Edit for Basic SAML Configuration.

  9. Use the SP information from Access Server to enter the following into the Entra ID SAML app configuration:

    • Identifier (Entity ID): Enter the Access Server SP Identity.

    • Reply URL (Assertion Consumer Service URL): Enter the Access Server SP ACS.

    • Relay State (Optional): Enter 'cws' for the Client Web UI or 'profile' to provide users with a downloadable profile. (See "How to set IdP-initiated flow" for details.)

  10. Click Save.

Next, you provide the Entra ID SAML app data to Access Server. The simplest way is to provide metadata through a URL (first option) or downloaded file (second option).

Option 1: Copy the Entra ID metadata URL

  1. Ensure you’re still in the Single sign-on section of your SAML app.

  2. Under SAML Certificates, copy the App Federation Metadata Url.

Option 2: Download the Entra ID metadata file

  1. Ensure you’re still in the Single sign-on section of your SAML app.

  2. Under SAML Certificates, locate the Federation Metadata XML and click Download.

Step 2: Provide Entra ID metadata to Access Server

Now that you have the Entra ID metadata, you can provide it to Access Server, which can automatically populate information for the identity provider.

If you copied the URL, follow the steps below to paste it into the SAML page for Access Server. If you downloaded the XML file, follow the steps below to upload it to the SAML page for Access Server.

Option 1: Paste the Entra ID metadata URL in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.

  4. In the field, IdP Metadata URL, paste the URL you copied from Entra ID and click Get and Update Running Server.

    • The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

Option 2: Upload the Entra ID metadata file in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.

  4. In the field, Select IdP Metadata, click Choose File to upload the XML file you downloaded from Entra ID, then click Upload and Update Running Server.

    • The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

After saving, you should see the following data populated automatically by either the URL or the XML file:

  • IdP EntityId.

  • Sign On Endpoint.

  • Certificate (PEM format).

Step 3: Assign SAML as user authentication

Optional: How to set up IdP-initiated flow

You can configure an IdP-initiated flow for signing into Access Server from their Azure My Apps portal with the following steps:

  1. Sign in to the Azure portal.

  2. Browse to Identity > Applications > Enterprise applications.

  3. Select your SAML application.

  4. Once the application loads, select Single sign-on from the left-hand menu.

  5. Edit the Basic SAML Configuration.

  6. Enter one of the following under Relay State (Optional):

    1. cws: This directs your users to the Client Web UI after sign-in.

    2. profile: This directs your users to a profile download after sign-in.

  7. Save changes.

Test that the option displays for your user (for example, using the 'cws' relay state):

  1. Sign in to your Azure My Apps as a SAML user.

  2. Find the SAML application linked with Access Server and click on it.

  3. You should be directed to the Access Server Client Web UI without additional authentication requirements.

In this section: