In order to add your own application to the non-gallery applications, you need a Premium Azure subscription. You also need to have your AD populated.
- Sign in to the Azure Active Directory portal using your Microsoft identity platform administrator account.
- Select Azure Active Directory > Enterprise Applications > New application.
- (Optional but recommended) In the Add from the gallery search box, enter the display name of the application.
If the application appears in the search results, select it and skip the rest of this.
- Select Non-gallery application.
The Add your own application page appears.
- Enter the display name for your new application.
- Select Add.
By adding an application this way, you provide a similar experience to the one available for pre-integrated applications. First, select Single sign-on from the application’s sidebar. The next page (Select a single sign-on method) presents the options for configuring SSO:
SAML-based Single Sign-On
Select the SAML option to configure SAML-based authentication for the application. This option requires SAML 2.0. support.
The Set up Single Sign-On with SAML page appears.
Basic SAML Configuration
To set up Azure AD, go to the Basic SAML Configuration heading and select its Edit icon (a pencil). You can manually enter the values or upload a metadata file to extract the value of the fields.
The following two fields are required:
- Identifier: This value should uniquely identify the application for which Single Sign-on is being configured. You can find this value as the Issuer element in the AuthnRequest (SAML request) sent by the application. This value also appears as the Entity ID in any SAML metadata provided by the application. Check the application’s SAML documentation for details on what its Entity ID or Audience value is.
The following code shows how the Identifier or Issuer appears in the SAML request that the application sends to Azure AD:
<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="id6c1c178c166d486687be4aaf5e482730" Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer> </samlp:AuthnRequest>
- Reply URL: The reply URL is where the application expects to receive the SAML token. This URL is also referred to as the assertion consumer service (ACS) URL. Check the application’s SAML documentation for details on what its SAML token reply URL or ACS URL is.
Review or Customize the Claims Issued in the SAML Token
When a user authenticates to the application, Azure AD issues the application a SAML token with information (or claims) about the user that uniquely identifies them. By default, this information includes the user’s username, email address, first name, and last name.
To view or edit the claims sent in the SAML token to the application:
- Go to the User Attributes & Claims heading and select the Edit icon.
The User Attributes & Claims page appears.
You might need to edit the claims issued in the SAML token for two reasons:
- The application requires a different set of claim URIs or claim values.
- Your application requires the Name identifier value claim to be something other than the username (also known as the user principal name) stored in the Microsoft identity platform.
For more information, see How to: Customize claims issued in the SAML token for enterprise applications.
Review Certificate Expiration Data, Status, and Email Notification
When you create a gallery or a non-gallery application, Azure AD creates an application-specific certificate that expires three years from its creation date. You need this certificate to set up the trust between Azure AD and the application. For details on the certificate format, see the application’s SAML documentation.
From Azure AD, you can download the active certificate in Base64 or Raw format directly from the main Set up Single Sign-On with SAML page. Alternatively, you can get the active certificate by downloading the application metadata XML file or by using the App federation metadata URL.
To view, create, or download your certificates (active or inactive), go to the SAML Signing Certificate heading and select the Edit icon. The SAML Signing Certificate appears.
Verify that the certificate has:
- The desired expiration date.
You can configure the expiration date for up to three years into the future.
- Active status for the desired certificate.
If the status is Inactive, change the status to Active. To change the status, right-click the desired certificate’s row and select Make certificate active.
- The correct signing option and algorithm.
- The correct notification email address(es).
When the active certificate is near the expiration date, Azure AD sends a notification to the email address configured in this field.
For more information, see Manage certificates for federated single sign-on and Advanced certificate signing options in the SAML token.
EdgeCore AD SAML Sample