Configure Azure Entra ID SAML 2.0 IdP for JIT & Non JIT

Get started with Azure Entra ID SAML 2.0 Identity Provider configuration to enable security integration with other systems or 3rd parties in your IT landscape

Objective

This page describes the Microsoft Entra ID SAML 2.0 setup with JIT and Non JIT flows.
It has a detailed step-by-step guide for registering an enterprise SAML 2.0 application in Microsoft Entra ID as an Identity Provider and configuring Access Management 2.0 as a Service Provider (SP) to enable SAML-based identity federation.

Introduction

Configuring Microsoft Entra ID as Identity Provider (IdP) with Access Management 2.0 (AM 2.0) as Service Provider (SP) using SAML 2.0 protocol.

This documentation provides a comprehensive guide to setting up and configuring Microsoft Entra ID (formerly Azure Active Directory) as the IdP and Access Management 2.0 as the SP using SAML 2.0 protocol. This setup enables secure single sign-on (SSO) capabilities for enterprise applications while leveraging the robust identity and access management features of Microsoft Entra ID and the flexibility of AM 2.0.

Additionally, this guide covers the implementation of Just-In-Time (JIT) provisioning, which automatically creates user accounts in Access Management 2.0 as they log in, streamlining user management and enhancing operational efficiency.

Prerequisites

Before proceeding, ensure you have the following:

  1. Microsoft Entra ID Tenant: Administrative access to configure enterprise applications in the Azure portal.
  2. Access Management 2.0 Server: A working AM 2.0 instance installed and accessible with administrative privileges.
  3. Basic knowledge of SAML 2.0: Familiarity with SAML 2.0 terminology and workflow, including metadata exchange, assertions, and bindings.
  4. SSL/TLS Setup: Both Microsoft Entra ID and AM 2.0 should be configured to use HTTPS for secure communication.

Key Features

  1. Seamless SSO with SAML 2.0/ This integration leverages SAML 2.0 to provide a secure and seamless SSO experience for users, allowing them to authenticate through Microsoft Entra ID and access applications managed in AM 2.0 without needing to re-enter credentials.

  2. JIT Provisioning Support/ With JIT provisioning enabled, user accounts are dynamically created or updated in Access Management 2.0 the first time a user authenticates through Microsoft Entra ID. This eliminates the need for manual user synchronization, reducing administrative overhead.

  3. Flexible Configuration/ This guide provides step-by-step instructions for:

    • Registering and configuring an enterprise application in Microsoft Entra ID as an IdP.
    • Exchanging metadata between Microsoft Entra ID and AM 2.0 to establish trust.
    • Mapping SAML attributes to AM 2.0 user properties to support JIT provisioning.

  4. Customizable Role and Attribute Mapping/ The configuration supports advanced mappings of user roles and attributes from Microsoft Entra ID to Access Management 2.0, enabling fine-grained access control and dynamic policy enforcement.

Scope of the Documentation

This document is divided into the following sections:

  1. Registering a SAML 2.0 Application in Microsoft Entra ID:

    • How to create and configure an Enterprise Application in Microsoft Entra ID.
    • Configuring SAML settings, including identifier (Entity ID), reply URL (Assertion Consumer Service URL), and signing certificate.

  2. Configuring Access Management 2.0 as a SAML Service Provider:

    • Importing IdP metadata into AM 2.0.
    • Defining SAML client settings, including binding, principal type, and signature settings.
    • Mapping SAML attributes to AM 2.0 user properties.

  3. Enabling Just-In-Time (JIT) Provisioning in Access Management 2.0:

    • Configuring user attribute mappings for automatic account creation and updates.
    • Customizing role assignments and group memberships during provisioning.

By the end of this guide, you will have a fully functional SAML 2.0 integration between Microsoft Entra ID and AM 2.0, complete with JIT provisioning support for a scalable and efficient user authentication workflow.

Steps to achieve AM 2.0 integration with Microsoft Azure

Step 1: Sign in to the Azure Portal

  1. Navigate to the Azure Portal.
  2. Sign in using an account with administrative permissions for Microsoft Entra ID.

Step 2: Create a New Enterprise Application in the Azure portal

  1. Click on the Enterprise Application icon.

  2. Click on New Application.

  3. Click on Create your own application.

  4. Give a name to your application.

  5. Select Integrate any other application you don’t find in the gallery (Non-gallery application) radio button.

  6. Click Create. This creates a basic SAML application in the Azure portal and now you will land on its overview page.

  7. After the application is created, click on Set up single sign-on tile.

  8. Select SAML as the single sign-on method.

  9. In the SAML Certificates tile, you will be able to see the App Federation Metadata URL field which has IDP metadata. Keep this URL handy for step 4.

Step 3: Sign in to the AM 2.0 portal

  1. Login to AM 2.0 Admin Console. Select the maactive realm.

    Note: In case you have Restricted Admin Access on AM 2.0, then use this URL:

    https://<stack_name>-auth.<domain_name>/auth/admin/maactive/console/

Step 4: Create an IDP config in the AM 2.0 portal

  1. Click on the Identity Providers option from the left panel and select SAML v2.0 from the drop-down.

  2. Enter the Alias. This will be the default display name on the login page.
    Please note that the Alias forms a part of the redirect URL. In case it does not reflect, you can create the Redirect URI yourself and keep the URL handy.
    Eg. if Alias is set as - samlazure
    Redirect URI - https://localdocker:8443/auth/realms/sample/broker/samlazure/endpoint

  3. Optionally, enter Display Name. This is the name that will be displayed in case you need it to be different from the alias.

  4. Take note of the Service provider entity ID value from the same page.

  5. In the Service entity descriptor field, paste the URL you copied from step 2.9. If the URL is correct, you will see a green tick on the right.

  6. Click on Add. This will create a basic SP configuration on AM 2.0 for this Azure application.

  7. Scroll down and set the Want AuthnRequests signed option to be On.

  8. Now scroll to the bottom of AM 2.0’s provider configuration page and select First Login Flow and Post Login Flow, if not already pre-selected.

  9. Click on Save.

Step 5: Configure AM 2.0 details in Azure IDP

  1. In the Single sign-on tab, edit the Basic SAML Configuration and fill in the Entity ID from step 4.4.

  2. Copy the redirect URI from step 4.2 and paste it into the Add reply URL.

  3. Hit the Save button on the top. You will see a confirmation message after doing so.

Step 6: Configure User.UserId Mapper on AM 2.0 as well as Azure side

  1. To add mappers in AM 2.0, click the Mappers tab on the same SP configuration page. Click on the Add mapper button.

  2. Configure User.UserId mapper by filling in the fields as shown in the image below.

    Click on Save.

  3. Now to add this attribute on the Azure IDP side, go to the Single sign-on tab and edit the Attributes & Claims tile.

  4. Click on Add new claim and then add User.UserId as an attribute as shown below.

Step 7: Configure Mapping for JIT (this step is mandatory only if you would like to enable SAML JIT)

  1. To add mappers in AM 2.0, click the Mappers tab on the same SP configuration page. Click on the Add mapper button.

  2. Similarly, configure the User.LocaleId mapper by filling in the fields as shown in the image below.

    Click on Save.

  3. Similarly, configure User.PrimaryOrgId mapper by filling in the fields as shown in the image below.

    Click on Save.

  4. Similarly, configure User.Roles mapper by filling in the fields as shown in the image below.

    Click on Save.

  5. Now, to add these attributes on the Azure IDP side, go to the Single sign-on tab and edit the Attributes & Claims tile.

  6. Click on Add new claim, then add the User.LocaleId, User.PrimaryOrgId, and User.Roles attributes individually.

Step 8: Additional attributes configuration

In case additional attributes are needed, they can be configured as well. Below is a list of attributes that can be configured.\

You will have to pass these exact attribute names from Azure to receive on AM 2.0.

Attributes shown below can be configured on IDP, as well as SP.

Access Management 2.0 SAML Attribute Name
User.UserId
User.PrimaryOrgId
User.FirstName
User.LastName
User.LocaleId
User.DateOfBirth
User.UserOrgs
User.Locations
User.Gender
User.Address1
User.Address2
User.City
User.State
User.PostalCode
User.Country
User.Phone
User.Email2
User.UserTimeZone
User.AvailableUserLocales

Author

  • Shipra Choudhary: Senior Software Engineer, Security, Manhattan Active® Platform, R&D.

Last modified April 7, 2025: Merge pull request #69 from MA-POC/stage (1314778)