I’m often asked if Azure AD supports this.
There is documentation here and I quote:
“Customers with Azure Active Directory Premium license also get these additional capabilities:
- Self-service integration of any application that supports SAML 2.0 identity providers (SP-initiated or IdP-initiated)”.
But there’s not a lot of detail on how it works or how you invoke it.
I was sidetracked by thinking that there was a single URL that invoked this flow ala ADFS where the URL is:
(Aside: In ADFS this is disabled by default).
But there are in fact many URL and the answer to how to invoke it is via the access panel i.e.
So let’s create a custom SAML application:
The entityID and ACS endpoint are just dummy ones.
Add your user in “Users and groups”.
Note the information bar at the top.
By default, this SAML application will appear on that user’s myapps panel. The SAML application is a Service Provider (SP).
You can turn it off in the Properties.
So the myapps panel is now:
So the user clicks “SAMLMyApps”.
The user is already authenticated to Azure so they are not asked to login.
If they weren’t, they would see an Azure AD login screen at this point like:
We redirect to the SP.
Since this is a dummy entry, you get an error but note that the user is redirected to the configured ACS endpoint.
Looking at the traffic we see a POST to somesamlapp.co.nz:
POST https://somesamlapp.co.nz/acs HTTP/1.1 Host: somesamlapp.co.nz User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
and the payload is a SAML Authn Response:
<samlp:Response ID="_6840aed7-...-e59c9d7abdf0" Version="2.0" IssueInstant="2018-09-21T00:47:50.986Z" Destination="https://somesamlapp.co.nz/acs" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/00d562...29816c79/</Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
and the status is “Success”.
And this is exactly the SAML IDPInitiated flow. The user authenticates first and is then redirected to the SP with a SAML token in the response.
It can’t be SPInitiated because the SP doesn’t exist!
In the Properties above, you’ll see a “User Access URL”. You can use this as a shortcut to get to the SP without having to go via the access panel first.
You could e.g. have some buttons on your portal with these links behind the buttons.