How to create an App in Azure AD (SAML, SSO)

In order to sign in with our Microsoft Accounts into our own custom applications we need to create an "Enterprise application" based on an "App registration" to create a SAML Endpoint.

Pitfalls ahead!

There are several ways you can approach the creation, but most will result in an undesired state with no practical use for our custom application. This document outlines the one way we found someone could create a working app. Follow it thoroughly!

Creating the app

1. Head over to the Azure Portal (opens new window) and sign in with an user with sufficient privileges

2. Navigate to Enterprise applications (if not visible try the search field in the header navigation bar)

   

3. Click on New application

   

4. Click on Create your own application

   

5. Enter a name for your application and make sure Integrate any other application you don't find in the gallery (Non-gallery) is selected!

   

6. Click the Create button

   

Configure Single sign-on (client)

We will use AWS Cognito as an example here. Other clients should work alike.

1. In Enterprise application search for the app you've just created and click on it

   

2. Click on Single sign-on in the menu on the left

   

3. Click on SAML

   

   1. Click on Edit in the Basic SAML Configuration Card

   

   2. Enter the Identifier (Entity ID). For AWS Cognito you will need to use the UserPool ID as shown below.

   

   3. Enter the Reply URL. In this case it's the AWS Cognito endpoint.

   

   4. Click on save

   

4. It might be wise to copy the Metadata URL now as you will need it to configure the identity provider in cognito

   

The security group "hack"

A security groups are used to assign users to an application. Easily granting access by adding a user to a group instead of the app directly.

Our License with Microsoft actually does not allow us to assign users to an app via a user group. You simply can't add a group in the dialog. But it is still possible to get one (and or more) groups in there. When using the Self-service option a user can request or directly get access to an app which has Self-service enabled. Microsoft adds the user to a group automatically. This group naturally needs to be able to use the app, right!?

• The result: Microsoft adds the group automatically even tho the license does not allow it, technically.
• Now the fun part: The added group will be retained even if the Self-service is disabled again.
• Phase 3: Profit!

Create a new group

1. Navigate to Groups (if not visible try the search field in the header navigation bar)

   

2. Click on New group

   

3. Fill in the New group form

   1. Enter a group name

   Note: As per convention our groups used for permissioning purposes should be prefixed with sec. followed by the application provider. giffits. for apps we've developed. E.g. sec.giffits.my-awesome-app

   2. Enter a useful description
   3. You do not need to set owners actually
   4. Add members you already know will need access to your application

   

4. Click the Create button

   

Configure the group via "the hack"

1. Make sure you have configured Single sign-on (see above)

2. In Enterprise application search for the app you've just created and click on it

   

3. Click on Self-service in the menu on the left

   

4. Set Allow users to request access to this application? to Yes and click on Select group

   

5. Search for and select the group created earlier

   

6. Click on Select

   

7. Set Allow users to request access to this application? back to No and click on Save

   

8. To verify the group has been added click on Users and Groups on the left

   

9. The list should contain the group now!