Configure SAML single sign-on in Azure by editing the basic SAML configuration for your Enterprise Application — set the Identifier, Reply URL, and Sign-on URL, then add four claim rules for NameID, emailaddress, givenname, and surname.
💡Quick answers
- What URLs do I need to configure in Azure? Identifier: `https://{{YourDomain}}`, Reply URL: `https://{{YourDomain}}/site/handlers/samlhandler.ashx/ProcessRequest`, Sign-on URL: `https://{{YourDomain}}/site/SAMLLogin.aspx?IgnoreRedirect=true`.
- What four claim rules must I add? NameID, emailaddress, givenname, and surname — all must be present and non-blank for SAML to automatically create users.
- How should NameID be set up? Use the ExtractMailPrefix() transformation on user.userprincipalname to extract the username from the left side of the email address (before @).
- Where do I add claim rules in Azure? Enterprise application > Set up Single Sign-On with SAML > Attributes & Claims > edit, then add each rule.
Sign in to Azure, then navigate to the Enterprise application. Select single sign-on, then edit the basic SAML configuration.
- Navigate to Identifier
- Select Add Identifier.
- Enter “https://{{YourDomain}}”
- Select the default checkbox to set this as the default URL.
- Navigate to Reply URL
- Select Add Reply URL.
- Enter “https://{{YourDomain}}/site/handlers/samlhandler.ashx/ProcessRequest”
- Select the default checkbox to set this as the default URL.
- Navigate to Sign on URL
- Delete the sign-on URL text, and enter “https:///{{YourDomain}}/site/SAMLLogin.aspx?IgnoreRedirect=true”
- Select Save.
Add Claim Rules
- Navigate to Enterprise application -> Set up Single Sign-On with SAML
- Click edit on the second item “Attribute & claims”
- You will create four claim rules: NameID, emailaddress, givenname, surname
-
NameID is the username that appears in the system. The following steps will apply a username that reflects the left half of the email address before the “@”. If this is not your desired format, select a field that meets your organization needs.
- Namespace : http://schemas.xmlsoap.org/ws/2005/05/identity/claims
- Name identifier format : select the name identifier format as Email address
- In Source, select transformation.
- Select Edit transformation. -> manage transformation
- Select the transformation as ExtractMailPrefix()
- Select the attribute name as user.userprincipalname
- Click the Add button
- Add each of the other aforementioned claims (see image below). Most will not use transformations. All claims must exist and be nonblank for authentication to automatically create users.
The following screenshots may or may not exactly match what's available to you in your Azure configuration--they are examples of what you may encounter.