Since the launch of the Azure AD administration console in the new Azure AD portal you need to know a couple of things to setup a Single Sign On configuration for an application which is not listed in the Azure AD gallery. This blog describes the steps to integrate non-Azure AD gallery applications.
The first step is to open the Azure AD administration console in the Azure portal and select the Enterprise applications:
Next, you click on All applications and Add a new application:
Now you have the option to add various types of applications:
Gallery application; You select one of the listed applications in the Azure AD gallery. These applications have a pre-configured setup and can be integrated with Azure AD in just a few clicks.
Application you’re developing; Select this option if you are developing your own application and want to integrate it with Azure AD.
On-premises application; This option enables you to publish and integrate applications by using the Azure AD Application Proxy.
Non-gallery application; By using this option you can integrate applications with Azure AD which are not listed in the Azure AD gallery.
We will add a non-gallery application so in this scenario you select the Non-gallery application option.
Now you fill in the name of the application:
Now you can follow the steps in the Quick Start. In the first 3 steps an overview is given of the setup and you can create the first users and assign them to the application.
In this guide we will go into detail on how to configure Single Sign On. To do this, directly select the step Configure single sign-on to start the configuration:
In the next step you have multiple options:
Azure AD single sign-on disabled; This will add the application without any kind of Single Sign On configured (default).
SAML-based Sign-on; This option provides the configuration items to setup a Single Sign On integration based on the SAML protocol specifications.
Password-based Sign-on; This enables secure application password storage (vault) and replay using a web browser extension or mobile app.
Linked Sign-on; This option allows you to add a link to an application in the Azure Active Directory Access Panel. This option does not add Single Sign On to the application, however the application may already have Single Sign On implemented using another service.
In this guide we select SAML-based Sign-on.
Now the following options become available in the configuration panel:
Identifier; This is also known as the Entity ID. This uniquely identifies the application for the Single Sign On configuration.
Reply URL; This is also known as the Assertion Consumer Service URL . This is the URL where the application expects the authentication token.
Sign On URL; This option is used when the Service Provider initiated sign on is selected. In this case a link to the web sign in of the application is added which a user will access throughout the tile in the Azure AD access panel.
Relay State; This contains the URL to which the user is redirected to after a successful login.
The Identifier and Reply URL are mandatory for the Single Sign On setup:
In the User Attributes section configure the claims you want to add the authentication token which is offered (by the client) to the application. The User Identifier attribute is added as the Name Identifier in the subject of the SAML token.
Every authentication token is signed by Azure AD. For this a newly signing certificate is being created. In this step you also have the ability to create a new certificate.
Next you select Make new certificate active and you save the configuration:
After saving the configuration you can click on Configure “Application name”. In this panel you can find the SAML details you can use in the application Single Sign On setup. For this, you copy the SAML Single Sign-On Service URL, SAML Entity ID and Sign-Out URL. Also, you can download the certificates and XML Metadata:
Now you have successfully added the Single Sign On configuration for a non-Azure AD gallery application. Next you should setup the Conditional Access and Access Controls (group based). This will be covered in a different post.