Programmatically Configure SAML-related Single Sign-On configurations

Miguel Alex Cantu 21 Reputation points
2019-11-18T21:59:53.817+00:00

We integrate a lot of apps with SAML SSO (4-5 a week, probably more). Some need custom SAML claims configured and others need the Relay state configured.

Sometimes we configure Sign-On URLs, sometimes we don't.

Needless to say it's becoming an operational headache. We would like to provide a self-service application that could guide our teams into how they can configure their application with SAML SSO, but we are not sure if it's possible to configure the settings mentioned above programmatically.

Essentially what we want is to collect all the information from the user that is needed, run it through a validation engine which runs through few of our checks, and programmatically create the service principle with the proper configurations, SAML claims and all.

Is this something that's possible given the current state of the Graph API? If not, what does the roadmap look like to close that gap?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,665 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 111.1K Reputation points MVP
    2019-11-19T08:04:08.417+00:00

    Microsoft is working along with other major players on the specifications of a new standard that should make the process much easier. It's called FastFed and the current RFC is here: https://openid.net/specs/fastfed-1_0.html

    Until that gets released and implemented though, there's not much you can do.

    0 comments No comments

  2. MrAzureAD 81 Reputation points
    2019-11-20T08:36:58.29+00:00

    Hey Miguel,

    I am absolutely on your side; we share the same pain. This is a required functionality and it should not be a problem to expose anything in the UI via API.

    This was my #1 issue for quite some time and I raised this point more than once when talking to the AAD product group. I do not want to disclose details, but I talked to responsible PM (Say hi to Debbie) and I am quite confident :-)

    There is at least one totally unsupported way of doing that. It absolutely works, but I would never recommend it to anyone. Desperate times sometimes require desperate measures.
    If you absolutely need to know, DM me on twitter (@MrAzureAD ) for more details (including again a big fat warning).

    Stay tight,
    MrAzureAD

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.