Azure AD SAML Integration

This guide explains how to configure Azure Active Directory (Azure AD) as a SAML Service Provider (SP) to use Signia as an Identity Provider (IdP).

Overview

After completing this integration:

• Azure AD users will authenticate using Signia credentials
• Users can log in with WebAuthn/Passkeys (Face ID, Touch ID, security keys)
• Azure AD trusts Signia's SAML assertions for user authentication
• Users can access Microsoft 365, Azure resources, and third-party apps

Prerequisites

• Admin access to Azure AD (Global Administrator or Application Administrator)
• Admin access to Signia ID dashboard
• SAML enabled for your Signia tenant
• Azure AD Premium subscription (P1 or P2) for SSO

If SAML is not enabled yet, see Enable SAML 2.0 Identity Provider.

---

Part 1: Configure Signia IdP

Step 1: Download Signia Metadata

1. Log in to Signia ID dashboard (https://signiaid.com)
2. Select your tenant from the dropdown
3. Navigate to SAML in the left sidebar
4. In the Identity Provider Information section:
   • Click Download Metadata button
   • Save as signia-metadata.xml

Alternative: Download directly from metadata URL:

curl https://<your-tenant>.signiaauth.com/saml/metadata -o signia-metadata.xml

---

Part 2: Register Enterprise Application in Azure AD

Step 1: Create Enterprise Application

1. Log in to Azure Portal (https://portal.azure.com)
2. Navigate to Azure Active Directory
3. Click Enterprise applications (left sidebar)
4. Click + New application
5. Click + Create your own application

Step 2: Configure Application

What's the name of your app?: Enter name

• Example: "Signia SSO"

What are you looking to do with your application?:

• Select: "Integrate any other application you don't find in the gallery (Non-gallery)"

Click Create

Azure will create the application (takes a few seconds).

---

Part 3: Configure SAML-based Sign-on

Step 1: Set Up Single Sign-On

1. In your Enterprise Application
2. Click Single sign-on (left sidebar)
3. Select SAML

Step 2: Basic SAML Configuration

Click Edit in the "Basic SAML Configuration" section.

Identifier (Entity ID):

https://<your-tenant-name>.onmicrosoft.com/signia-sso

• Replace <your-tenant-name> with your Azure AD tenant name
• Example: https://contoso.onmicrosoft.com/signia-sso

Reply URL (Assertion Consumer Service URL):

https://login.microsoftonline.com/login/signon

• This is Azure AD's standard ACS URL

Note: Some Azure AD configurations use:

https://login.microsoftonline.com/<tenant-id>/saml2

Check Azure AD documentation for your specific setup.

Sign on URL (optional): Leave blank

Relay State (optional): Leave blank

Logout URL (optional): Leave blank

Click Save

Step 3: User Attributes & Claims

Click Edit in the "User Attributes & Claims" section.

Azure AD automatically includes:

• Unique User Identifier (Name ID): user.userprincipalname

Add additional claims (optional):

Claim name	Source attribute
emailaddress	user.mail
givenname	user.givenname
surname	user.surname
displayname	user.displayname

Click Save

Step 4: SAML Certificates

In the "SAML Certificates" section:

Download:

• Certificate (Base64) - You'll upload this to Signia
• Federation Metadata XML - Contains Azure AD's Entity ID and ACS URL

Save both files.

Note the App Federation Metadata Url - You can use this instead of manual configuration.

Step 5: Note Azure AD Configuration

From the "Set up Signia SSO" section, note these values:

Login URL:

https://login.microsoftonline.com/<tenant-id>/saml2

Azure AD Identifier (Entity ID):

https://sts.windows.net/<tenant-id>/

Logout URL (optional):

https://login.microsoftonline.com/<tenant-id>/saml2/logout

---

Part 4: Configure Signia Service Provider

Step 1: Add Service Provider in Signia

1. Log in to Signia ID dashboard
2. Navigate to SAML → Service Providers
3. Click Add Service Provider

Step 2: Enter Azure AD Details

Name: Azure AD Production (or your preferred name)

Entity ID: Use the identifier you set in Azure AD

https://<your-tenant-name>.onmicrosoft.com/signia-sso

ACS URL: Azure AD's ACS endpoint

https://login.microsoftonline.com/login/signon

Or if using tenant-specific URL:

https://login.microsoftonline.com/<tenant-id>/saml2

NameID Format: Email Address

Enabled: ✓ (checked)

Step 3: Save Service Provider

Click Create Service Provider

The Service Provider will appear in the list.

---

Part 5: Upload Signia Configuration to Azure AD

Option 1: Upload Metadata XML (Recommended)

1. In Azure Portal → Enterprise Application
2. Click Single sign-on
3. In "Basic SAML Configuration" section, click Upload metadata file
4. Select signia-metadata.xml (downloaded in Part 1)
5. Click Add

Azure will auto-populate:

• Identifier (Entity ID)
• Reply URL
• Sign on URL

6. Verify values are correct
7. Click Save

Option 2: Manual Configuration

If metadata upload doesn't work:

1. In "Basic SAML Configuration" section, click Edit
2. Leave existing Identifier (Entity ID) and Reply URL as configured
3. Under "Set up Signia SSO" section:
   • Login URL: Leave blank (Azure AD initiates SSO)
4. Click Save

---

Part 6: Configure Azure AD to Trust Signia

Step 1: Upload Signia Certificate

1. In Azure Portal → Enterprise Application → Single sign-on
2. Scroll to "SAML Certificates" section
3. Click Edit
4. Under "Verification certificates (optional)":
   • Click Add a certificate
   • Upload Signia certificate (extract from metadata XML)
5. Click Save

Extract Certificate from Metadata (if needed):

xmllint --xpath "//*[local-name()='X509Certificate']/text()" signia-metadata.xml > cert.txt

Step 2: Configure Trust

Azure AD will now trust SAML assertions signed by Signia's certificate.

---

Part 7: Assign Users and Groups

Step 1: Navigate to Users and Groups

1. In your Enterprise Application
2. Click Users and groups (left sidebar)

Step 2: Assign Users

1. Click + Add user/group
2. Under Users:
   • Click None Selected
   • Search for users
   • Select users
   • Click Select
3. Click Assign

Step 3: Assign Groups (Recommended)

1. Click + Add user/group
2. Under Groups:
   • Click None Selected
   • Search for groups (e.g., "All Users", "Engineering")
   • Select groups
   • Click Select
3. Click Assign

---

Part 8: Test SSO

Step 1: Test from Azure AD Portal

1. In Azure Portal → Enterprise Application
2. Click Single sign-on
3. Scroll to bottom
4. Click Test this application

Step 2: Select Test Mode

Sign in as current user: Tests with your admin account

Sign in as another user: Enter a test user's credentials

Click Test sign in

Step 3: Verify Redirect

You should be redirected to:

https://<your-tenant>.signiaauth.com/saml/sso?SAMLRequest=...

Step 4: Authenticate with Signia

1. Signia displays authentication UI
2. Authenticate with:
   • WebAuthn/Passkey (Face ID, Touch ID, security key)
   • Or email/password (if enabled)

Step 5: Verify Success

After authentication:

• Azure AD test page shows Success
• User profile displayed
• Claims shown (email, name, etc.)

Step 6: Test from My Apps Portal

1. Navigate to https://myapps.microsoft.com
2. Log in with test user
3. Click on Signia SSO app tile
4. Should redirect to Signia → authenticate → return to Azure AD

---

Troubleshooting

"AADSTS750054: SAMLRequest or SAMLResponse must be present"

Cause: IdP-initiated SSO not supported (Signia only supports SP-initiated)

Solution: Always initiate SSO from Azure AD (My Apps portal or enterprise app)

"AADSTS50011: Reply URL mismatch"

Cause: ACS URL in Signia doesn't match Azure AD's Reply URL

Solution:

1. Check Reply URL in Azure AD (Basic SAML Configuration)
2. Check ACS URL in Signia Service Provider configuration
3. Ensure exact match (case-sensitive)

"AADSTS50105: User not assigned to application"

Cause: User not assigned to the Enterprise Application

Solution:

1. Navigate to Users and groups
2. Click + Add user/group
3. Assign the user

"Invalid SAML Response"

Cause: Certificate mismatch or signature verification failure

Solution:

1. Re-upload Signia metadata to Azure AD
2. Verify certificate fingerprint matches dashboard
3. Check Azure AD "SAML Certificates" section

Clock Skew Issues

Symptom: "Assertion expired" errors

Solution:

# Check Azure AD time (from server)
date -u

# Compare with Signia time
curl -I https://<tenant>.signiaauth.com | grep Date

# Difference should be < 5 minutes

---

Advanced Configuration

Conditional Access Policies

Add additional security requirements for SSO access.

1. Navigate to Azure AD → Security → Conditional Access
2. Click + New policy
3. Configure:
   • Users: Select groups or all users
   • Cloud apps: Select "Signia SSO"
   • Conditions: Device platform, location, etc.
   • Grant: Require MFA, compliant device, etc.
4. Enable policy

Automatic User Provisioning

Sync Azure AD users to Signia (requires SCIM support - future feature).

1. Navigate to Provisioning (left sidebar)
2. Click Get started
3. Set Provisioning Mode: Automatic
4. Enter Signia SCIM endpoint (future feature)
5. Configure attribute mappings
6. Click Save

Custom Claims Mapping

Map Azure AD attributes to SAML claims.

1. Navigate to Single sign-on → User Attributes & Claims
2. Click + Add new claim
3. Configure:
   • Name: department
   • Source attribute: user.department
4. Click Save

Signia will receive this attribute in SAML assertions.

---

Security Recommendations

Enable Azure AD MFA

Add multi-factor authentication for additional security.

1. Navigate to Azure AD → Security → MFA
2. Configure MFA settings
3. Require MFA for specific users or groups

Monitor Sign-in Logs

Track authentication events for security and compliance.

1. Navigate to Azure AD → Monitoring → Sign-in logs
2. Filter by:
   • Application: "Signia SSO"
   • Status: Success/Failure
3. Export logs for analysis

Certificate Rotation

When Signia certificate expires:

1. Download new metadata from Signia
2. Upload to Azure AD (Single sign-on → Upload metadata file)
3. Verify new certificate
4. Test SSO flow

Restrict Access by IP

Limit SSO access to specific IP ranges.

1. Navigate to Conditional Access → Named locations
2. Define trusted IP ranges
3. Create policy requiring access from trusted locations

---

Integration with Microsoft 365

After configuring Azure AD SSO with Signia, users can access:

• Outlook Web App
• SharePoint Online
• Microsoft Teams
• OneDrive for Business
• Other Microsoft 365 apps

Users will authenticate once with Signia and access all Microsoft 365 services.

---

Next Steps

• Okta SAML Integration
• AWS Cognito SAML Integration
• SAML Troubleshooting Guide

Related Documentation

• Enable SAML 2.0 Identity Provider
• Core Concepts: Multi-Tenancy

Additional Resources

• Azure AD SAML Documentation
• Azure AD Conditional Access
• Azure AD Sign-in Logs