Setting up Azure AD as SAML enterprise connection

Problem Statement

Sometimes the user wants the flexibility of SAML when setting up a connection in Auth0.

Solution

Azure setup:

  1. Open portal.azure.com
  2. Go to Azure Active Directory > Enterprise applications > + New Application
  3. Now click + Create your own application
  4. For convenience, put AzureViaSaml under the What’s the name of your app?
  5. Under What are you looking to do with your application? select the Integrate any other application you don’t find in the gallery (Non-gallery) and click Create
  6. Now click Single sign-on in the left pane and under Select a single sign-on method select SAML
  7. In the 1. Basic SAML Configuration box click Edit
  8. Under Identifier (Entity ID) set up identifier as per this example: urn:auth0:your-auth0-domain:connection-name
  • Note, that the connection doesn’t exist in Auth0 at this point, so you can choose any name. In this example let’s name the connection AzureViaSaml. So the resulting identifier will be urn:auth0:myDomain:AzureViaSaml
  • Don’t include the full tenant URL in the Identifier, just the tenant name. It shouldn’t be urn:auth0:myDomain.us.auth0.com:AzureViaSaml
  1. Set the Reply URL (Assertion Consumer Service URL) to https://myDomain.region*.auth0.com/login/callback?connection=AzureViaSaml, or https://myDomain.auth0.com/login/callback?connection=AzureViaSaml if your tenant was created before 11 June 2020.
    • Region could be us, au, eu, jp. E.g.: myDomain.us.auth0.com
  1. Click Save
  2. In the 3. SAML Signing Certificate box click Download next to Certificate (Base64)
  3. In the 4. Set up AzureViaSaml box copy the Login URL. It will look like https://login.microsoftonline.com/xxx/saml2
  4. Now let’s move to Auth0 setup

Auth0 Setup:

  1. Go to Dashboard > Authentication > Enterprise > SAML > + Create connection
  2. Set the name to AzureViaSaml
  3. Set the Sign In URL and the Sign Out URL value to the link you copied in Step 12 in Azure setup (e.g. https://login.microsoftonline.com/xxx/saml2)
  4. Upload the X509 Signing Certificate that you downloaded from Azure in Step 11
  5. Click Create

Launch your application and try the connection. You can also go to Dashboard > Authentication > Enterprise > SAML , click three dots next to the connection you just created and select Try .

References

4 Likes

Great write up! For anyone looking for Azure AD SAML mappings and how to set them up after getting the connections created, see this post: https://community.auth0.com/t/mapping-custom-attributes-from-a-custom-azure-ad-saml-connection-to-auth0/116744