SAML-based SSO configuration for Azure AD

Follow these steps to set up SSO to access Azure AD through ManageEngine Identity360.

Note:
  • SSO can be enabled only for domains that are verified in Azure AD.
  • SSO cannot be enabled for "onmicrosoft.com" domains that are created by Microsoft.
  • SSO cannot be enabled for the default domain (the primary domain in which users are created). It can only be configured for custom domains. Azure AD prohibits SSO configuration for default domains to ensure that administrators can log in to Azure AD regardless of issues with the identity provider. If your organization does not have a custom Azure AD domain, you need to create one to configure SSO.

Steps to update the ImmutableID value in Azure AD

To enable SSO to Azure AD through Identity360, it is mandatory to have the ImmutableID attribute as the unique identifier in Azure AD. You can create new users with the ImmutableID attribute or update existing users' ImmutableID attribute value in Azure AD using the following PowerShell commands.

Command to update the ImmutableID attribute for existing users

Command to create new users with the ImmutableID attribute

Note: You can check whether the update was successful using this command: Get-MsolUser -UserPrincipalName "<user_mailID>" | select userprincipalname, Immutableid

Steps to enable SSO for Azure AD in Identity360

  1. Log in to Identity360 as an Admin or Super Admin.
  2. Navigate to Applications > Application Integration. Click Create New Application on the Configured Applications page. If you have not configured any applications yet, please proceed with step 3.

    3. configure-saml-sso-for-azure-ad

  3. Find Azure Active Directory by entering its name in the search bar on the Application Integration page.

    4. configure-saml-sso-for-azure-ad

    configure-saml-sso-for-azure-ad

  4. Select the application, and under the General Settings tab, enter the Application Name and Description if necessary.

    5. configure-saml-sso-for-azure-ad

  5. Select SSO under the Choose Capabilities section to enable SSO for Azure AD and click Continue.
  6. Under Integration Settings, select SAML as the SSO protocol used by the application and enter the Relay State parameter, if necessary.

    7. configure-saml-sso-for-azure-ad

  7. Click Metadata Details, copy the Login URL, Logout URL, and Entity ID/Issuer URL, and download the Signing Certificate.

    8. configure-saml-sso-for-azure-ad

  8. Click Save to complete the SSO configuration for the application in Identity360.

Steps to configure SSO authentication in Azure AD

  1. Open PowerShell with admin rights.
  2. Connect with MsolService using the following command.
    3. Installation command
    Copy to Clipboard 
    Connect-MsolService
  3. Use this command to show the list of domains available.
    4. Installation command
    Copy to Clipboard 
    Get-MsolDomain
  4. Enter the domain for which you would like to enable SSO.
    5. Installation command
    Copy to Clipboard 
    $dom = "mycompany.com"
  5. Enter the Login URL value copied from Identity360 for the $url command, the Entity ID value for the $uri command, and the Logout URL value for the $logouturl command.
    6. JSON
    Copy to Clipboard 
    $url = "<login URL value>"
For example, $url = "https://id360.manageengine.com/iamapps/ssologin/AZURE_DIRECTORY/0f60f225259698fa55c235f7ab956cc40012e8db"
$uri = "<login URL value>"
For example, $uri = "https://idmp-c1.csez.zohocorpin.com:8443/iamapps/ssologin/AZURE_DIRECTORY/ab6ca4dcfb2c1b18a8d2dcaa34346fd90c42b3f9"
$logouturl = "<logout URL value>"
For example, $logouturl = "https://id360.manageengine.com/iamapps/ssologout/AZURE_DIRECTORY/0f60f225259698fa55c235f7ab956cc40012e8db"
  6. Now paste the SSO certificate file copied from Identity360 in the command mentioned below.
    7. Installation command
    Copy to Clipboard 
    $cert = "<SSO certificate file>"
For example, $cert = "MIICqjCCAhOgAwIBAgIJAN..........dTOjFfqqA="

    configure-saml-sso-for-azure-ad

  7. Run the following command to enable SSO in Azure AD.
    8. Installation command
    Copy to Clipboard 
    Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
  8. Confirm the SAML SSO configuration by executing the command mentioned below.
    9. Installation command
    Copy to Clipboard 
    Get-MSolDomainFederationSettings -DomainName "mycompany.com" | Format-List *

    configure-saml-sso-for-azure-ad

  9. Reconfigure or update SSO settings: If you are already using SSO for Azure AD from another identity provider or want to update Identity360 SSO settings, you must first disable SSO in Azure AD and then follow the steps in this guide. To disable SSO in Azure AD, use the command given below.
    10. Installation command
    Copy to Clipboard 
    $dom = "mycompany.com"
Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Managed
Navigate to Previous Previous Topic Next Topic Navigate to next

Copyright © 2024, ZOHO Corp. All Rights Reserved.