Configure SSO for Azure AD Application

Sergio Peral 1

Hello all,
I hope you're staying healthy and safe.

I'm having an issue trying to configure Azure AD SSO for an application. My Service Provider application is not able to authenticate itself because the roles claim configured in Azure AD SSO is not included in the SAML response. I'm following this guide to configure it: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management, but I'm not having success.

These are my configured claims:
https://gyazo.com/f262f7fa23c23ed2adc6a4ffc9e608c0

And these are the claims that come in the SAML response:
https://gyazo.com/120b6156a0287566c9d34cf7f726ae81

I'm also having trouble configuring permissions here: https://developer.microsoft.com/graph/graph-explorer. It seems like the changes I make are not staying.

When I go to the Application Users and groups, the only user is me, with role User. I don't know if it's possible to make myself an administrator, it doesn't come in the list of possible roles, only User, and it's a personal account so I'm actually the administrator.

Hoping that someone is able to help a little bit. Thank you very much in advance.

Best regards,
Sergio.

6 answers

Sergio Peral 1 Reputation point

2020-05-04T20:06:59.937+00:00

In addition, is it correct that the role included in the SAML response is referencing the one I have in the Application Manifest and the one in the third screenshot below? Are they all the same role? Maybe the Test role in the SAML response is some "empty" role and I'm referencing different things that have the same name...

Role claim included in the SAML response:

Role in the application manifest:

Role definition:

I'm sorry for asking so many questions but I am really lost. Thank you in advance for your effort.

Best regards.
Please sign in to rate this answer.
AmanpreetSingh-MSFT 56,751 Reputation points

2020-05-05T14:31:29.68+00:00

No, the role we defined in app manifest is different than this. These are directory roles that we can use to grant permissions over Azure AD.

This platform is for asking questions. Feel free to post. Only suggestion is to post new question for a different error so that it helps others facing similar error. We don't want others to go through a long thread to get answer to a specific error. Hope you'll understand.

Sergio Peral 1 Reputation point

2020-05-05T15:33:49.52+00:00

It is under the application's Roles and administrators section so it looked like a role for the application to me.

The objective of my questions is the original one, which is configuring Azure AD SSO to authenticate a user in Opendistro, that's why I continued asking in this thread. I think that any user that wants to achieve that goal will make use of all the answers you provided. However, I understand your suggestion, sorry if you think that this thread is too long.

Thank you for your answers.

Regards.

AmanpreetSingh-MSFT 56,751 Reputation points

2020-05-07T06:56:22.197+00:00

Even if you are referring to application's Roles and administrators section, these roles are different than the app role we defined under app manifest. This will eventually create role under directory role only.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Configure SSO for Azure AD Application

6 answers

Your answer