Skip to main content

Tutorial: How to Configure SAML with Entra ID

Abstract

A step-by-step guide for configuring SAML authentication on Access Server with Microsoft Entra ID (formerly Azure AD).

Overview

Access Server supports authentication using SAML with Microsoft Entra ID as the identity provider. You can configure this in Entra ID with Access Server as your service provider.

The following steps walk you through enabling SAML authentication for users and groups from Entra ID to Access Server.

Prerequisites

You need the following to get started:

Important

We recommend using all lowercase usernames when signing in with SAML.

Step 1: Create the Entra ID SSO application

With Entra ID, you must create a custom SAML application for SSO.

Now that you have your SP information, you can create a new Entra ID SAML app and enter that information during app creation:

  1. Sign in to your Azure portal as a global administrator.

  2. Click to manage Microsoft Entra ID.

  3. Click Enterprise Applications from the menu.

  4. Click +New application.

  5. Click Create your own application.

  6. Enter a name for the application.

  7. Select Integrate any other application you don't find in the gallery and click Create.

  8. After the application is created, click Set up Single Sign-On under Getting Started.

  9. Click SAML under Select a single sign-on method.

  10. Click Edit for Basic SAML Configuration.

  11. Use the SP information from Access Server to enter the following into the Entra ID SAML app configuration:

    • Identifier (Entity ID): Enter the Access Server SP Identity.

    • Reply URL (Assertion Consumer Service URL): Enter the Access Server SP ACS.

    • Relay State (Optional): Enter 'cws' for the Client Web UI or 'profile' to provide users with a downloadable profile. (See "How to set IdP-initiated flow" for details.)

  12. Click Save.

Now, we need to assign users or groups that will be authenticated via SAML to the newly created app.

Then, you'll provide the Entra ID SAML app data to Access Server. The simplest way is to provide metadata through a URL (option 1) or downloaded file (option 2).

Assign users or groups to SAML app

  1. For the SAML app, select Users and Groups under Manage in the navigation menu.

  2. Click + Add user/group.

  3. Click on Non Selected under Users and Groups.

  4. Select users or groups you want to assign, click Select, then click Assign.

Option 1: Copy the Entra ID metadata URL

  1. Ensure you’re still in the Single sign-on section of your SAML app.

  2. Under SAML Certificates, copy the App Federation Metadata Url.

Option 2: Download the Entra ID metadata file

  1. Ensure you’re still in the Single sign-on section of your SAML app.

  2. Under SAML Certificates, locate the Federation Metadata XML and click Download.

Step 2: Provide Entra ID metadata to Access Server

Now that you have the Entra ID metadata, you can provide it to Access Server, which can automatically populate information for the identity provider.

If you copied the URL, follow the steps below to paste it into the SAML page for Access Server. If you downloaded the XML file, follow the steps below to upload it to the SAML page for Access Server.

Option 1: Paste the Entra ID metadata URL in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Authentication.

  3. Click the SAML tab.

  4. Set Enable SAML authentication to Enabled.

  5. Under Configure Identity Provider (IdP), click Configure using metadata URL/file.

    • The Configure using metadata modal displays.

  6. In the field, IdP metadata configuration URL, paste the URL you copied from Entra ID, and click Get.

    • If the URL isn't valid, a message displays. Otherwise, the Identity Provider data populates the corresponding fields.

  7. Click Save and Restart.

Step 3: Assign SAML as user authentication

You can now enable SAML as the global default authentication or for specific groups and users.Tutorial: SAML user groups

Optional: How to set up IdP-initiated flow

You can configure an IdP-initiated flow for signing into Access Server from their Azure My Apps portal with the following steps:

  1. Sign in to the Azure portal.

  2. Browse to Identity > Applications > Enterprise applications.

  3. Select your SAML application.

  4. Once the application loads, select Single sign-on from the left-hand menu.

  5. Edit the Basic SAML Configuration.

  6. Enter one of the following under Relay State (Optional):

    1. cws: This directs your users to the Client Web UI after sign-in.

    2. profile: This directs your users to a profile download after sign-in.

  7. Save changes.

Test that the option displays for your user (for example, using the 'cws' relay state):

  1. Sign in to your Azure My Apps as a SAML user.

  2. Find the SAML application linked with Access Server and click on it.

  3. You should be directed to the Access Server Client Web UI without additional authentication requirements.

Optional: Map SAML group access control

You can automate group assignments for access control rules using a post-authentication Python script.

Refer to the steps in this tutorial:

In this section: