Setting up Azure AD for SAML

Azure AD Configuration Steps

For more information on how to setup SAML-based single sign-on for Secret Server in Azure Active Directory, see Microsoft's Enable single sign-on for an enterprise application .
You must have SAML already setup in Secret Server with a valid certificate. See the Setting up Secret Server section in Configuring SAML Single Sign-on.

  1. Log into your portal.azure.com account.

  2. Navigate to Azure Active Directory.

  3. Navigate to Enterprise Applications.

  4. Select New Application.

  5. Select Non-gallery application.

  6. Give your new IdP application a name and click Add.

  7. Click Single sign-on.

  8. In the dropdown, select SAML-based Sign-on.

  9. If you haven't done so already, download the Secret Server metadata file named SecretServerSAMLMetadata.xml from [YourSecretServerInstance.Name]/samlmetadata:

    1. In Secret Server, navigate to Administration.
    2. Type SAML in the combination box. The Section Matches section populates with sections matching what you typed.
    3. Click the SAML Service Provider Settings link. The SAML Service Provider Settings page appears.
    4. Click the Download Service Provider Metadata (XML) button. The SecretServerSAMLMetatdata.xml file downloads to your browser's default location.
    For more information on setting SAML up in Secret Server, please see See the Setting up Secret Server section in Configuring SAML Single Sign-on

  10. Click Upload metadata file and upload the Secret Server Metadata file you previously downloaded.

  11. Click Save.

  12. Scroll down and click Metadata XML to download the metadata for this application.

  13. Go back to Azure Active Directory and click on App registrations.

  14. Select your Azure Identity Provider (IdP) application.

    If you don't see the application immediately, you might need to click View all Applications.

  15. Click Settings > Properties, then enter the Logout URL field for your instance. The form for this URL will be: https://[YourSecretServerInstanceName]/saml/SLOService.aspx.

  16. Click Save.

  17. Return to the Configuration search box and type Identity Providers.

  18. Click on the Identity Providers link that appears in the Section Matches section. The SAML Identity Providers page appears.

  19. Click the Create New Identity Provider button. The Identity Provider popup appears.

  20. Click the New Identity Provider dropdown list and select Import IDP from XML Metadata. An Import File control appears.

  21. Click the upload icon and select the XML file you downloaded earlier. If you do not see the file where it should be, ensure the file type is set to XML.

  22. Click the OK button.

Adding Users to Single Sign-On in Azure AD

For users to be authenticated by the SSO workflow you are setting up, Secret Server usernames must match Azure AD usernames. If you manually add usernames to Secret Server or Azure AD, you must inspect them carefully to ensure that they match. You can also use Secret Server Discovery to sync Secret Server usernames in bulk with Azure AD usernames.

  1. Log into your portal.azure.com account.

    Navigate to Azure Active Directory > Enterprise Applications and select your IdP from the list

  2. Select Users and groups and Add User.

  3. Click Users and groups/None Selected.

  4. Search for the user you want to add to your SAML workflow. (Note that any users added must also exist in your Secret Server instance. Usernames must match between the systems).

  5. Click Select at the bottom, then Assign.

Once a username matches in both systems, the user should be able to use the Single Sign-On workflow. To test this, log into Azure AD as the user, then browse to your Secret Server instance. The user should be logged into Secret Server automatically without being prompted again for login credentials.

If you have accounts in which the sAMAccountName differs from the UPN name, you can create custom rules to accommodate the differences. See Directory Services.

Advanced Settings

The following Secret Server Identity Provider Advanced Settings can be configured in Azure AD:

  • Require Signed SAML Response

  • Require Signed Assertion

  • Require Signed Assertion Or Signed SAML Response

Below are the steps to configure the settings in Azure Ad:

  1. Log in to portal.azure.com.

  2. Navigate to Azure Active Directory > Enterprise Applications.

  3. Select your IdP, then click Single sign-on.

  4. Scroll down and check the box for Show advanced certificate signing settings. checkbox.

  5. Click the drop-down arrows to reveal options. These advanced options correspond with advanced options in Secret Server.

  6. Click Advanced Settings next to your identity provider.

    • Require Signed SAML Response

    • Require Signed Assertion

    • Require Signed Assertion Or Signed SAML Response

If you apply advanced certificate signing settings to the Secret Server IdP application in Azure AD, return to the Identity Providers page in Secret Server and click the button next the provider and select Advanced Settings to apply the same settings.