Azure AD as IDP – Cloud SAML

Part 2: Setup miniOrange with Azure AD

Step 1. Setup Azure AD as IDP

• Go to miniOrange Admin Console.
• From the left navigation bar select Identity Provider
• Click on Add Identity Provider button.

• Select SAML tab.

You can get the metadata details of miniOrange app either by clicking on the link shown by "Click here" in the yellow block, Or you can also get the details after creating the app. Keep these details handy as we will need these in configuring Azure AD.
• Click on Show Metadata details under For SP - INITIATED SSO. You can either manually enter details or use Metadata URL or File

• Now to add SAML app for Azure AD, go to Add Identity Provider page and click on Import IDP Metadata. Import the metadata file that you will get from Azure AD. Refer this step.

• If you don't have a metadata file, you can also provide the details manually. You need to configure following endpoints:

IDP Entity ID	Entity ID of IDP
Single Login URL	Login Url from IDP
Single Logout URL	Logout Url from IDP
X.509 Certificate	The public key certificate of your IDP.

• Few other optional features that can be added to the Identity Provider(IDP) are listed in the table below:

Domain Mapping	Can be used to redirect specific domain user to specific IDP
Show IdP to Users	Enable this if you want to show this IDP to all users during Login
Send Configured Attributes	Enabling this would allow you to add attributes to be sent from IDP

• Click on Save.

Step 2. Configuring miniOrange as SP in Azure AD

• Log in to Azure AD Portal
• Select Azure Active Directory ⇒ Enterprise Applications.

• Click on New Application.


• Click on Non-gallery application section and enter the name for your app and click on Add button.

• Click on Single sign-on from the application's left-hand navigation menu. The next screen presents the options for configuring single sign-on. Click on SAML.

• Click on the edit icon to edit SAML Configuration Details

• For Basic SAML configuration you need to get the Entity ID, ACS URL, and the Single Logout URL from miniOrange. Refer this step.
• Enter the values in basic SAML configuration as shown in below screen

Identifier (Entity ID)	Entity ID or Issuer
Reply URL (Assertion Consumer Service URL)	ACS URL
Sign on URL (optional required during IDP-initiated SSO)	SSO Login URL
Logout URL	Single Logout URL



• By default, the following Attributes will be sent in the SAML token. You can view or edit the claims sent in the SAML token to the application under the Attributes tab.


• Download Federation Metadata xml, and copy the Logout URL as well. This will be used while configuring the Azure AD as IDP.


• Assign users and groups to your SAML application.
• As a security control, Azure AD will not issue a token allowing a user to sign in to the application unless Azure AD has granted access to the user. Users may be granted access directly, or through group membership.
• Click on Users and groups from the applications left-hand navigation menu. The next screen presents the options for assigning the users/groups to the application.

• After clicking on Add user, Select Users and groups in the Add Assignment screen.
• The next screen presents the option for selecting user or invite an external user. Select the appropriate user and click on the Select button.

• Here, you can also assign a role to this user under Select Role section. Finally, click on Assign button to assign that user or group to the SAML application.

Step 3. Test Connection between miniOrange and Azure AD

• Go to Identity Providers tab. Then click on select button under the app you just created. Then click on Test Connection.
• A new popup login window will open. Enter your credentials and login.

• Now you will see TEST SUCCESSFULL in a new popup window. If not, then check if you have missed any of the above step.