How To: Configure The Identity Hub to use Entra ID as SAML-P Account Provider

Getting the required certificates

Warning

For security reasons it is possible in The Identity Hub to not support the use of self-signed certificates on a specific tenant.
If so, Azure AD MUST use a non-self-signed certificate for signing the SAML assertions and response. Make sure to consult the tenant administrator to know if self-signed certificates are allowed or not, as Entra ID has a self-signed certificate by default.

Entra ID: Signing Certificate

A certificate is needed to let Entra ID identify itself to The Identity Hub.

Such certificate can be acquired from certificate providers like VeriSign and GlobalSign.

The certificate is NOT a TLS/SSL certificate, but a personal authentication certificate.

The CN of the certificate has to clearly identify the server (organization).

The encryption level has to be SHA-256 with 2048-bit encryption.

An example is: https://ssl.comodo.com/personal-authentication.php

Warning

If the tenant does not allow so, this certificate can NOT be a self-signed certificate.

The Identity Hub: Authentication Request Signing and Encryption Certificate

A certificate is required for The Identity Hub to sign requests sent to Entra ID. And also to decrypt responses sent from Entra ID.

Such certificate can be acquired from certificate providers like VeriSign and GlobalSign.

An example is: https://ssl.comodo.com/comodo-ssl-certificate.php

The CN of the certificate has to clearly identify The Identity Hub server.

The encryption level has to be SHA-256 (minimum) with 2048-bit encryption.

Tip

If the tenant already specifies a signing and encryption certificate, it is possible to reuse this. See Used certificates overview

Warning

If the tenant does not allow so, this certificate can NOT be a self-signed certificate.

Configuring Entra ID as a SAML-P account provider in The Identity Hub

Tip

Make sure both servers can reach the Certificate Revocation List URL's of the certificates.

Create a new SAML-P Account Provider in The Identity Hub

For general documentation on configuring a SAML-P Account Provider, see SAML-P Account Provider.

Start with creating a SAML-P account provider

  1. On the General tab set a Name.
  2. On the Service Provider tab opt to use the signing certificate of the tenant OR
    select a Service Provider Certificate (the private key file) and type the certificate password in the Service Provider Certificate Password. This is the private key of certificate obtained in The Identity Hub: Authentication Request Signing and Encryption Certificate.
  3. On the Identity Provider tab set the Sign On Endpoint URL to https://localhost (this information will be completed later)
  4. Click Save.

Once you have saved the account provider the necessary information that describes The Identity Hub as Service provider is available in the metadata document.
The metadata document is available for you to download at the bottom of the General tab of the account provider detail page. Or you can provide the link to it to your contact.

Basic SAML configuration items in this document are:

  • EntityID: the format is uri:{Service Provider Identifier}. This value can also be found on the Advanced page as Service Provider Entity Id
  • The Assertion Consumer Service Url. This value can be found on the Service Provider tab page.

Create an enterprise application in Entra ID

An up-to-date description on how to create an Entra ID Enterprise application with SAML-P sign-on can be found here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso

  1. Sign in to the azure portal and go to Entra ID.
  2. Go to Enterprise applications and Create your own application - Option Integrate any other application you don't find in the gallery.
  3. Give the application a meaningful name identifying the service provider f.i. The Identity Hub at organisation.
  4. Click Create.

Complete the steps to configure SAML as SSO in Entra ID

  1. Once the application is created go to Single sign-on.
  2. Click on the SAML tile and complete the steps as outlined:
  3. Basic SAML configuration:
    • Use the option Upload metadata file or supply the required properties based on the metadata.
  4. User Attributes & Claims:
    • Keep the default configuration for user claims and from the Edit page select Add a group claim. Make sure to configure that (Security) Groups are emitted as role claims (see check-box in section Advanced options).
      When Groups related to the Application is used, the groups filtering is already done at Entra ID. However this will require more maintenance when additional roles need to be passed to The Identity Hub.
  5. SAML Certificates:
    • As Signing option configure Sign SAML response and assertion (as this is the default at The Identity Hub side).
    • If the tenant at The Identity Hub does not allow self-signed certificates you will need to import a signing certificate here.
    • After uploading a certificate make sure to delete the default Azure (self-signed) certificate and set the new certificate to be Active.
    • Download the Federation Metadata XML OR copy the App Federation Metadata Url (format: https://login.microsoftonline.com/subscriptionid/federationmetadata/2007-06/federationmetadata.xml?appid=appid).

Complete the Identity Provider information for the SAML-P account provider in The Identity Hub

Once you have the Federation Metadata XML or the url, go to the account provider previously set up in The Identity Hub.

  1. Go to Edit mode.
  2. Upload the Federation Metadata XML or set the Federation Metadata Url to the App Federation Metadata Url.
  3. Configure the following claim mappings:
Source Claim Source value Destination Claim Destination value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.microsoft.com/ws/2008/06/identity/claims/role {ObjectId of the Security Group} http://schemas.microsoft.com/ws/2008/06/identity/claims/role {the role name as used in TIH}

When using Entra ID, the role claim will contain the object id of the Security groups you have associated with the application.

  1. Click Save.

Configure the Identity Provider parameters manually.

For more information on the configuration parameters, see Specific configuration parameters for the SAML-P Account Provider.

Parameter Description
Identity Provider tab: Sign On Endpoint URL https://login.microsoftonline.com/subscriptionid/saml2
Identity Provider tab: Sign On Endpoint Protocol Binding Http Post
Identity Provider tab: Single Log Out Endpoint URL https://login.microsoftonline.com/subscriptionid/saml2
Identity Provider tab: Single Log Out Endpoint Protocol Binding Http Post
Identity Provider tab: Identity Provider Certificate (Primary) This is the public key of the certificate (cer) that can be downloaded from the Entra ID Enterprise application

Configure the claim mappings as outlined above.

Test the authentication flow

To test the authentication flow, try to authenticate (close all browser sessions and open a new one) with the configured SAML-P Account Provider by navigating to your tenant (https://www.theidentityhub.com/{tenant}) and selecting the Entra ID Account Provider.