IDPInitiated sign-on with Azure AD

I’m often asked if Azure AD supports this.

There is documentation and I quote:

“Customers with license also get these additional capabilities:

  • Self-service integration of any application that supports SAML 2.0 identity providers (SP-initiated or IdP-initiated)”.

But there’s not a lot of detail on how it works or how you invoke it.

I was sidetracked by thinking that there was a single URL that invoked this flow ala ADFS where the URL is:

(Aside: In ADFS this is by default).

But there are in fact many URL and the answer to how to invoke it is via the access panel i.e.

So let’s create a custom SAML application:

The entityID and ACS endpoint are just dummy ones.

Add your user in “Users and groups”.

Note the information bar at the top.

Expanded:

By default, this SAML application will appear on that user’s myapps panel. The SAML application is a Service Provider (SP).

You can turn it off in the Properties.

So the myapps panel is now:

So the user clicks “SAMLMyApps”.

The user is already authenticated to Azure so they are not asked to login.

If they weren’t, they would see an Azure AD login screen at this point like:

We redirect to the SP.

Since this is a dummy entry, you get an error but note that the user is redirected to the configured ACS endpoint.

Looking at the traffic we see a POST to somesamlapp.co.nz:

POST https://somesamlapp.co.nz/acs HTTP/1.1 Host: somesamlapp.co.nz User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

and the payload is a SAML Authn Response:

<samlp:Response ID="_6840aed7-...-e59c9d7abdf0"                 Version="2.0"                 IssueInstant="2018-09-21T00:47:50.986Z"                 Destination="https://somesamlapp.co.nz/acs"                 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"                 >     <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/00d562...29816c79/</Issuer>     <samlp:Status>         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />     </samlp:Status>

and the status is “Success”.

And this is exactly the SAML IDPInitiated flow. The user authenticates first and is then redirected to the SP with a SAML token in the response.

It can’t be SPInitiated because the SP doesn’t exist!

In the Properties above, you’ll see a “User Access URL”. You can use this as a shortcut to get to the SP without having to go via the access panel first.

You could e.g. have some buttons on your portal with these links behind the buttons.

All good!

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Rory Braybrook

Written by

NZ Microsoft Identity dude. Azure AD/ADFS. Plus Auth0. North Shore .NET User Group Admin. Ignite - http://bit.ly/2D05Uh7 YouTube - http://bit.ly/2lzBqXQ

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.