Microsoft Azure: Setting up SSO via SAML
This article describes how you can set up SSO via SAML on Microsoft Azure
How to configure SAML SSO via Azure
Go to Azure portal.
Open "Azure Active Directory" section.
Go to "Enterprise applications" section.
Click "+ New Application".
Select "Non-gallery application".
Name the new app and save it.
Within the settings of a new app go to "Single sign-on" section and select "SAML". In "Basic SAML Configuration" section set the following settings:
Identifier (Entity ID) = [customer].[realm].celonis.cloud → e.g. customer1.eu-1.celonis.cloud
Reply URL (Assertion Consumer Service URL) = https://[customer].[realm].celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client → e.g. https://customer1.eu-1.celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client
Note
The URL must be HTTPS.
In the "User Attributes & Claims" section new assertion "email" must be exposed (see the section below).
By default when you add a new claim in Azure AD, the namespace is set to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims". Delete this setting and leave the namespace empty.
In the "SAML Signing Certificate" section, the final metadata XML can be downloaded. For this use the "Federation Metadata XML" link.
This file must be uploaded to the team settings and by this, the configuration is done
How to expose user's attributes in the SAML response
Open Azure Active Directory.
Open Enterprise Applications.
Open SSO application.
Select Single Sign-On.
Scroll to User Attributes & Claims and press Edit.
Select Add new claim.
In a new dialog set name = "email" and source attribute = "user.mail" and press Save
For SAML JIT, do this also for the user's first name and last name, as well as his group memberships. You can set the attribute names to your liking.
The Azure documentation on how to reveal group memberships is quite extensive: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
Warning
Make sure to write the attribute name in lower case - it will not work in a capitalized manner!