Configurer l’authentification unique SAML pour votre application à l’aide de Microsoft Graph
L’authentification unique (SSO) est une méthode d’authentification qui permet aux utilisateurs de se connecter à une application, puis d’accéder à plusieurs applications sans avoir à se reconnecter. Microsoft Entra prend en charge différentes méthodes d’authentification unique, notamment OpenID Connect, OAuth, SAML (Security Assertion Markup Language), l’authentification unique basée sur un mot de passe et l’authentification unique liée. À l’aide de Microsoft Graph, vous pouvez automatiser la configuration de l’authentification unique pour votre application.
Dans ce tutoriel, vous apprenez à effectuer les opérations suivantes :
Identifier les applications SAML dans la galerie Microsoft Entra et configurer l’authentification unique SAML pour une application
Ajouter des rôles d’application à une application et les accorder aux utilisateurs
Configurer les revendications à émettre dans le jeton SAML
Configurer un certificat pour l’authentification unique fédérée
Récupérer les métadonnées SAML Microsoft Entra ID de votre application que vous utilisez pour terminer l’intégration
Configuration requise
Ce tutoriel configure l’authentification unique pour AWS IAM Identity Center. Toutefois, la plupart des étapes sur Microsoft Graph s’appliquent à toute autre application que vous souhaitez configurer l’authentification unique.
Connectez-vous à un client API tel que Graph Explorer avec les privilèges permettant d’instancier des applications à partir de la galerie d’applications Microsoft Entra, de configurer des rôles d’application et des stratégies sur les applications.
Administrateur d’application cloud dans le rôle intégré Microsoft Entra moins privilégié avec ces autorisations.
Avoir un utilisateur de test à affecter à l’application. Vous allez créer un utilisateur correspondant dans AWS IAM Identity Center plus loin dans ce tutoriel.
Étape 1 : Identifier l’application à configurer
Pour créer une application qui prend en charge l’authentification unique, vous l’inscrivez via la galerie d’applications Microsoft Entra. La galerie d’applications Microsoft Entra est un catalogue de milliers d’applications prédéfinies qui simplifient le déploiement et la configuration de l’authentification unique et de l’attribution automatisée d’utilisateurs. Dans Microsoft Graph, cette liste est disponible via l’entité applicationTemplate .
Dans cette étape, vous identifiez le modèle d’application pour l’application AWS IAM Identity Center (successor to AWS Single Sign-On) que vous souhaitez configurer. Enregistrez son ID.
GET$filter=displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see
var result = await graphClient.ApplicationTemplates.GetAsync((requestConfiguration) =>
requestConfiguration.QueryParameters.Filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
graphapplicationtemplates ""
requestFilter := "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'"
requestParameters := &graphapplicationtemplates.ApplicationTemplatesRequestBuilderGetQueryParameters{
Filter: &requestFilter,
configuration := &graphapplicationtemplates.ApplicationTemplatesRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
// To initialize your graphClient, see
applicationTemplates, err := graphClient.ApplicationTemplates().Get(context.Background(), configuration)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ApplicationTemplateCollectionResponse result = graphClient.applicationTemplates().get(requestConfiguration -> {
requestConfiguration.queryParameters.filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ApplicationTemplates\ApplicationTemplatesRequestBuilderGetRequestConfiguration;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestConfiguration = new ApplicationTemplatesRequestBuilderGetRequestConfiguration();
$queryParameters = ApplicationTemplatesRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
$requestConfiguration->queryParameters = $queryParameters;
$result = $graphServiceClient->applicationTemplates()->get($requestConfiguration)->wait();
Import-Module Microsoft.Graph.Applications
Get-MgApplicationTemplate -Filter "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'"
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.application_templates.application_templates_request_builder import ApplicationTemplatesRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see
query_params = ApplicationTemplatesRequestBuilder.ApplicationTemplatesRequestBuilderGetQueryParameters(
filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'",
request_configuration = RequestConfiguration(
query_parameters = query_params,
result = await graph_client.application_templates.get(request_configuration = request_configuration)
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "$metadata#applicationTemplates",
"": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET applicationTemplates?$select=categories,description",
"value": [
"id": "21ed01d2-ec13-4e9e-86c1-cd546719ebc4",
"displayName": "AWS IAM Identity Center (successor to AWS Single Sign-On)",
"homePageUrl": "",
"supportedSingleSignOnModes": [
"supportedProvisioningTypes": [
"logoUrl": "",
"categories": [
"publisher": "Amazon Web Services, Inc.",
"description": "Federate once to AWS IAM Identity Center (successor to AWS Single Sign-On) & use it to centrally manage access to multiple AWS accounts and IAM Identity Center enabled apps. Provision users via SCIM."
Étape 2 : Instancier l’application
À l’aide de la valeur id du modèle d’application, créez une instance de l’application dans votre locataire. Ici, vous nommez l’application AWS Contoso. La réponse inclut un objet d’application et de principal de service pour AWS Contoso, qui est un instance de l’application AWS IAM Identity Center (successeur de l’authentification unique AWS). Enregistrez les ID des objets d’application et de principal de service créés pour les utiliser plus loin dans ce didacticiel.
Content-type: application/json
"displayName": "AWS Contoso"
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.ApplicationTemplates.Item.Instantiate;
var requestBody = new InstantiatePostRequestBody
DisplayName = "AWS Contoso",
// To initialize your graphClient, see
var result = await graphClient.ApplicationTemplates["{applicationTemplate-id}"].Instantiate.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
graphapplicationtemplates ""
requestBody := graphapplicationtemplates.NewInstantiatePostRequestBody()
displayName := "AWS Contoso"
// To initialize your graphClient, see
instantiate, err := graphClient.ApplicationTemplates().ByApplicationTemplateId("applicationTemplate-id").Instantiate().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter); instantiatePostRequestBody = new;
instantiatePostRequestBody.setDisplayName("AWS Contoso");
var result = graphClient.applicationTemplates().byApplicationTemplateId("{applicationTemplate-id}").instantiate().post(instantiatePostRequestBody);
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ApplicationTemplates\Item\Instantiate\InstantiatePostRequestBody;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new InstantiatePostRequestBody();
$requestBody->setDisplayName('AWS Contoso');
$result = $graphServiceClient->applicationTemplates()->byApplicationTemplateId('applicationTemplate-id')->instantiate()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.applicationtemplates.item.instantiate.instantiate_post_request_body import InstantiatePostRequestBody
# To initialize your graph_client, see
request_body = InstantiatePostRequestBody(
display_name = "AWS Contoso",
result = await graph_client.application_templates.by_application_template_id('applicationTemplate-id')
Dans cette étape, vous allez configurer l’authentification unique pour AWS Contoso. Pour l’application, vous configurez les URL SAML tandis que pour le principal de service, vous définissez le mode d’authentification unique sur saml.
Étape 3.1 : Définir le mode d’authentification unique pour le principal de service
Définissez saml comme mode d’authentification unique pour le principal de service AWS Contoso. La requête retourne un code de réponse 204 No Content .
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
PreferredSingleSignOnMode = "saml",
// To initialize your graphClient, see
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
graphmodels ""
requestBody := graphmodels.NewServicePrincipal()
preferredSingleSignOnMode := "saml"
// To initialize your graphClient, see
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal servicePrincipal = new ServicePrincipal();
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ServicePrincipal();
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see
request_body = ServicePrincipal(
preferred_single_sign_on_mode = "saml",
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new Application
IdentifierUris = new List<string>
Web = new WebApplication
RedirectUris = new List<string>
// To initialize your graphClient, see
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
graphmodels ""
requestBody := graphmodels.NewApplication()
identifierUris := []string {
web := graphmodels.NewWebApplication()
redirectUris := []string {
// To initialize your graphClient, see
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Application application = new Application();
LinkedList<String> identifierUris = new LinkedList<String>();
WebApplication web = new WebApplication();
LinkedList<String> redirectUris = new LinkedList<String>();
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\WebApplication;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Application();
$requestBody->setIdentifierUris(['', ]);
$web = new WebApplication();
$web->setRedirectUris(['', ]);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.web_application import WebApplication
# To initialize your graph_client, see
request_body = Application(
identifier_uris = [
web = WebApplication(
redirect_uris = [
result = await graph_client.applications.by_application_id('application-id').patch(request_body)
Si l’application nécessite les informations de rôle dans le jeton, ajoutez la définition des rôles dans la propriété appRoles . AWS Contoso a été instancié avec les rôles par défaut User et msiam_access : ne les modifiez pas ou ne les supprimez pas. Pour ajouter d’autres rôles, vous incluez à la fois les rôles existants et les nouveaux rôles dans l’objet appRoles dans la requête. Sinon, les rôles existants sont remplacés.
Dans cette étape, ajoutez les Finance,WAAD rôles et Admin,WAAD au principal de service AWS Contoso. La requête retourne un code de réponse 204 No Content .
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
AppRoles = new List<AppRole>
new AppRole
AllowedMemberTypes = new List<string>
Description = "User",
DisplayName = "User",
Id = Guid.Parse("8774f594-1d59-4279-b9d9-59ef09a23530"),
IsEnabled = true,
Origin = "Application",
Value = null,
new AppRole
AllowedMemberTypes = new List<string>
Description = "msiam_access",
DisplayName = "msiam_access",
Id = Guid.Parse("e7f1a7f3-9eda-48e0-9963-bd67bf531afd"),
IsEnabled = true,
Origin = "Application",
Value = null,
new AppRole
AllowedMemberTypes = new List<string>
Description = "Admin,WAAD",
DisplayName = "Admin,WAAD",
Id = Guid.Parse("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
IsEnabled = true,
Value = "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD",
new AppRole
AllowedMemberTypes = new List<string>
Description = "Finance,WAAD",
DisplayName = "Finance,WAAD",
Id = Guid.Parse("7a960000-ded3-455b-8c04-4f2ace00319b"),
IsEnabled = true,
Value = "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD",
// To initialize your graphClient, see
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
Étape 5 : Configurer le mappage des revendications
Vous souhaitez configurer les attributs SAML en mappant les champs Microsoft Entra ID avec des attributs d’application AWS IAM Identity Center spécifiques. Par conséquent, vous créez une stratégie de mappage de revendications et vous l’affectez au principal de service.
Étape 5.1 : Créer une stratégie de mappage de revendications
En plus des revendications de base, configurez les revendications suivantes pour que Microsoft Entra ID émettent dans le jeton SAML :
Certaines clés de la stratégie de mappage de revendications, telles que Version, respectent la casse. Le message d’erreur « La propriété a une valeur non valide » peut être un problème de respect de la casse.
Créez la stratégie de mappage de revendications et enregistrez son ID pour l’utiliser plus loin dans ce tutoriel.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ClaimsMappingPolicy
Definition = new List<string>
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"\"}, {\"Value\":\"900\",\"SamlClaimType\": \"\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"\"}]}}",
DisplayName = "AWS Claims Policy",
IsOrganizationDefault = false,
// To initialize your graphClient, see
var result = await graphClient.Policies.ClaimsMappingPolicies.PostAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ClaimsMappingPolicy claimsMappingPolicy = new ClaimsMappingPolicy();
LinkedList<String> definition = new LinkedList<String>();
definition.add("{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"\"}, {\"Value\":\"900\",\"SamlClaimType\": \"\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"\"}]}}");
claimsMappingPolicy.setDisplayName("AWS Claims Policy");
ClaimsMappingPolicy result = graphClient.policies().claimsMappingPolicies().post(claimsMappingPolicy);
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.claims_mapping_policy import ClaimsMappingPolicy
# To initialize your graph_client, see
request_body = ClaimsMappingPolicy(
definition = [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"\"}, {\"Value\":\"900\",\"SamlClaimType\": \"\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"\"}]}}",
display_name = "AWS Claims Policy",
is_organization_default = False,
result = await
Content-type: application/json
"": ""
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ReferenceCreate
OdataId = "",
// To initialize your graphClient, see
await graphClient.ServicePrincipals["{servicePrincipal-id}"].ClaimsMappingPolicies.Ref.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
graphmodels ""
requestBody := graphmodels.NewReferenceCreate()
odataId := ""
// To initialize your graphClient, see
graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").ClaimsMappingPolicies().Ref().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter); referenceCreate = new;
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ReferenceCreate;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ReferenceCreate();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.reference_create import ReferenceCreate
# To initialize your graph_client, see
request_body = ReferenceCreate(
odata_id = "",
await graph_client.service_principals.by_service_principal_id('servicePrincipal-id')
Après avoir ajouté le certificat, le principal de service contient deux objets dans la collection keyCredentials : un pour la clé privée et un pour la clé publique ; et un objet dans la collection passwordCredentials pour le mot de passe du certificat.
Option 1 : Créer un certificat de signature de jeton pour le principal de service
Content-type: application/json
"displayName": "CN=AWSContoso",
"endDateTime": "2027-01-22T00:00:00Z"
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.ServicePrincipals.Item.AddTokenSigningCertificate;
var requestBody = new AddTokenSigningCertificatePostRequestBody
DisplayName = "CN=AWSContoso",
EndDateTime = DateTimeOffset.Parse("2027-01-22T00:00:00Z"),
// To initialize your graphClient, see
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AddTokenSigningCertificate.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
graphserviceprincipals ""
requestBody := graphserviceprincipals.NewAddTokenSigningCertificatePostRequestBody()
displayName := "CN=AWSContoso"
endDateTime , err := time.Parse(time.RFC3339, "2027-01-22T00:00:00Z")
// To initialize your graphClient, see
addTokenSigningCertificate, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AddTokenSigningCertificate().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter); addTokenSigningCertificatePostRequestBody = new;
OffsetDateTime endDateTime = OffsetDateTime.parse("2027-01-22T00:00:00Z");
SelfSignedCertificate result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").addTokenSigningCertificate().post(addTokenSigningCertificatePostRequestBody);
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ServicePrincipals\Item\AddTokenSigningCertificate\AddTokenSigningCertificatePostRequestBody;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AddTokenSigningCertificatePostRequestBody();
$requestBody->setEndDateTime(new \DateTime('2027-01-22T00:00:00Z'));
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->addTokenSigningCertificate()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.serviceprincipals.item.add_token_signing_certificate.add_token_signing_certificate_post_request_body import AddTokenSigningCertificatePostRequestBody
# To initialize your graph_client, see
request_body = AddTokenSigningCertificatePostRequestBody(
display_name = "CN=AWSContoso",
end_date_time = "2027-01-22T00:00:00Z",
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id')
Option 2 : Créer un certificat de signature personnalisé
Vous pouvez utiliser les scripts PowerShell et C# suivants pour obtenir un certificat auto-signé à des fins de test. Utilisez les meilleures pratiques de sécurité de votre entreprise pour créer un certificat de signature pour la production.
Le script suivant crée un certificat auto-signé avec le nom que vous donnez lorsque fqdn vous y êtes invité, par exemple, CN=AWSContoso. Il protège le certificat avec le mot de passe que vous fournissez dans pwd et exporte les certificats PFX et CER vers l’emplacement que vous spécifiez dans location.
L’application console C# suivante peut être utilisée comme preuve de concept pour comprendre comment obtenir les valeurs requises. Ce code est destiné à l’apprentissage et à la référence uniquement et ne doit pas être utilisé tel quelle en production.
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
* This code uses a self signed certificate and should not be used
* in production. This code is for reference and learning ONLY.
namespace Self_signed_cert
class Program
static void Main(string[] args)
// Generate a guid to use as a password and then create the cert.
string password = Guid.NewGuid().ToString();
var selfsignedCert = buildSelfSignedServerCertificate(password);
// Print values so we can copy paste into the JSON fields.
// Print out the private key in base64 format.
Console.WriteLine("Private Key: {0}{1}", Convert.ToBase64String(selfsignedCert.Export(X509ContentType.Pfx, password)), Environment.NewLine);
// Print out the start date in ISO 8601 format.
DateTime startDate = DateTime.Parse(selfsignedCert.GetEffectiveDateString()).ToUniversalTime();
Console.WriteLine("For All startDateTime: " + startDate.ToString("o"));
// Print out the end date in ISO 8601 format.
DateTime endDate = DateTime.Parse(selfsignedCert.GetExpirationDateString()).ToUniversalTime();
Console.WriteLine("For All endDateTime: " + endDate.ToString("o"));
// Print the GUID used for keyId
string signAndPasswordGuid = Guid.NewGuid().ToString();
string verifyGuid = Guid.NewGuid().ToString();
Console.WriteLine("GUID to use for keyId for keyCredentials->Usage == Sign and passwordCredentials: " + signAndPasswordGuid);
Console.WriteLine("GUID to use for keyId for keyCredentials->Usage == Verify: " + verifyGuid);
// Print out the password.
Console.WriteLine("Password is: {0}", password);
// Print out a displayName to use as an example.
Console.WriteLine("displayName to use: CN=Example");
// Print out the public key.
Console.WriteLine("Public Key: {0}{1}", Convert.ToBase64String(selfsignedCert.Export(X509ContentType.Cert)), Environment.NewLine);
// Generate the customKeyIdentifier using hash of thumbprint.
Console.WriteLine("You can generate the customKeyIdentifier by getting the SHA256 hash of the certs thumprint.\nThe certs thumbprint is: {0}{1}", selfsignedCert.Thumbprint, Environment.NewLine);
Console.WriteLine("The hash of the thumbprint that we will use for customeKeyIdentifier is:");
string keyIdentifier = GetSha256FromThumbprint(selfsignedCert.Thumbprint);
// Generate a self-signed certificate.
private static X509Certificate2 buildSelfSignedServerCertificate(string password)
const string CertificateName = @"Microsoft Azure Federated SSO Certificate TEST";
DateTime certificateStartDate = DateTime.UtcNow;
DateTime certificateEndDate = certificateStartDate.AddYears(2).ToUniversalTime();
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");
using (RSA rsa = RSA.Create(2048))
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
var certificate = request.CreateSelfSigned(new DateTimeOffset(certificateStartDate), new DateTimeOffset(certificateEndDate));
certificate.FriendlyName = CertificateName;
return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable);
// Generate hash from thumbprint.
public static string GetSha256FromThumbprint(string thumbprint)
var message = Encoding.ASCII.GetBytes(thumbprint);
SHA256Managed hashString = new SHA256Managed();
return Convert.ToBase64String(hashString.ComputeHash(message));
Extraire les détails du certificat
À l’étape précédente, vous disposez des certificats CER et PFX. Extrayez les valeurs de la clé privée, du mot de passe, de la clé publique et de l’empreinte numérique du certificat à ajouter au principal de service.
Extraire l’empreinte numérique du certificat
Le script PowerShell suivant vous permet d’extraire l’empreinte numérique du fichier CER. Remplacez le chemin d’accès au fichier par l’emplacement de votre certificat.
## Replace the file path with the source of your certificate
Get-PfxCertificate -Filepath "C:\Users\admin\Desktop\CN=AWSContoso.cer" | Out-File -FilePath "C:\Users\admin\Desktop\CN=AWSContoso.cer.thumbprint.txt"
Le fichier CN=AWSContoso.cer.thumbprint.txt a une entrée similaire à la sortie suivante.
Le script PowerShell suivant vous permet d’extraire la clé publique du fichier CER. Remplacez le chemin d’accès au fichier par l’emplacement de votre certificat.
Ajoutez les détails suivants aux keyCredentials et passwordCredentials pour le principal de service. Lorsque les deux objets ont les mêmes propriétés, vous devez attribuer les mêmes valeurs pour ces propriétés.
CustomKeyIdentifier est le hachage de l’empreinte numérique du certificat.
StartDateTime est la date à laquelle ou après la création du certificat.
EndDateTime peut être un maximum de trois ans à partir de startDateTime. S’il n’est pas spécifié, le système attribue automatiquement une date un an après startDateTime.
Le type et l’utilisation doivent être :
AsymmetricX509Cert et Verify respectivement dans le même objet.
X509CertAndPassword et Sign respectivement dans le même objet.
Affectez le nom de l’objet du certificat à la propriété displayName .
La clé est la valeur encodée en Base64 que vous avez générée à l’étape précédente.
KeyId est un GUID que vous pouvez définir.
La requête retourne un code de réponse 204 No Content .
Vous devez définir la propriété preferredTokenSigningKeyThumbprint du principal de service sur l’empreinte numérique du certificat que vous souhaitez Microsoft Entra ID utiliser pour signer la réponse SAML. La requête retourne un code de réponse 204 No Content .
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
PreferredTokenSigningKeyThumbprint = "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
// To initialize your graphClient, see
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
graphmodels ""
requestBody := graphmodels.NewServicePrincipal()
preferredTokenSigningKeyThumbprint := "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"
// To initialize your graphClient, see
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipal servicePrincipal = new ServicePrincipal();
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ServicePrincipal();
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see
request_body = ServicePrincipal(
preferred_token_signing_key_thumbprint = "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)
Étape 7 : Affecter des utilisateurs à l’application
Affecter un utilisateur à l’application
Affectez l’utilisateur de test que vous avez créé au principal de service et accordez-lui le rôle d’application Admin,WAAD . Dans le corps de la demande, fournissez les valeurs suivantes :
principalId : ID du compte d’utilisateur que vous avez créé.
appRoleId : ID du Admin,WAAD rôle d’application que vous avez ajouté.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AppRoleAssignment
PrincipalId = Guid.Parse("59bb3898-0621-4414-ac61-74f9d7201355"),
PrincipalType = "User",
AppRoleId = Guid.Parse("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
ResourceId = Guid.Parse("d3616293-fff8-4415-9f01-33b05dad1b46"),
// To initialize your graphClient, see
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignments.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
graphmodels ""
requestBody := graphmodels.NewAppRoleAssignment()
principalId := uuid.MustParse("59bb3898-0621-4414-ac61-74f9d7201355")
principalType := "User"
appRoleId := uuid.MustParse("3a84e31e-bffa-470f-b9e6-754a61e4dc63")
resourceId := uuid.MustParse("d3616293-fff8-4415-9f01-33b05dad1b46")
// To initialize your graphClient, see
appRoleAssignments, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AppRoleAssignments().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
AppRoleAssignment result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").appRoleAssignments().post(appRoleAssignment);
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.app_role_assignment import AppRoleAssignment
# To initialize your graph_client, see
request_body = AppRoleAssignment(
principal_id = UUID("59bb3898-0621-4414-ac61-74f9d7201355"),
principal_type = "User",
app_role_id = UUID("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
resource_id = UUID("d3616293-fff8-4415-9f01-33b05dad1b46"),
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id')
Étape 8 : Obtenir Microsoft Entra ID métadonnées SAML pour l’application AWS Contoso
Utilisez l’URL suivante pour obtenir les métadonnées SAML Microsoft Entra ID pour l’application AWS Contoso. Remplacez par {tenant-id} l’ID de locataire et {appId} par l’appId de l’application AWS Contoso. Les métadonnées contiennent des informations telles que le certificat de signature, Microsoft Entra entityID et Microsoft Entra SingleSignOnService, entre autres.
Maintenant que vous avez configuré l’application Microsoft Entra et que vous disposez des métadonnées SAML, connectez-vous à votre site d’entreprise AWS IAM Identity Center en tant qu’administrateur et :
Dans cette étape, supprimez les ressources que vous avez créées et dont vous n’avez plus besoin.
Supprimer l’application
Lorsque vous supprimez l’application, le principal de service dans votre locataire est également supprimé. La requête retourne un code de réponse 204 No Content .
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see
await graphClient.Applications["{application-id}"].DeleteAsync();
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
// To initialize your graphClient, see
graphClient.Applications().ByApplicationId("application-id").Delete(context.Background(), nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see
await graph_client.applications.by_application_id('application-id').delete()
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see
await graphClient.Users["{user-id}"].DeleteAsync();
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
// To initialize your graphClient, see
graphClient.Users().ByUserId("user-id").Delete(context.Background(), nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see
await graph_client.users.by_user_id('user-id').delete()
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see
await graphClient.Policies.ClaimsMappingPolicies["{claimsMappingPolicy-id}"].DeleteAsync();
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
msgraphsdk ""
// To initialize your graphClient, see
graphClient.Policies().ClaimsMappingPolicies().ByClaimsMappingPolicyId("claimsMappingPolicy-id").Delete(context.Background(), nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see
await graph_client.policies.claims_mapping_policies.by_claims_mapping_policy_id('claimsMappingPolicy-id').delete()