By Giorgio Bonuccelli

June 21, 2021
Last updated on December 9, 2022

  0

Using Azure SAML to Provide Single Sign-On Functionality in Applications

Azure Active Directory (AD) provides several single sign-on (SSO) options for cloud-based and on-premises applications. One such method is Azure SAML, which is based on version 2.0 of the Security Assertion Markup Language (SAML) open standard for exchanging authentication and authorization data. Azure SAML authenticates to applications using the user’s Azure AD account, making it ideal for mapping authenticated users to specific application roles.

Using Azure SAML with Microsoft Identity Platform

In a typical SAML 2.0 session, authentication and authorization information is passed between the principal or user, the service provider, and the identity provider. With SAML security assertions, users sign in to applications or service providers using authorization credentials from identity providers.

An example of an identity provider is the Microsoft identity platform on your Azure AD account. With this platform, you can authenticate and gain access to applications using either your Microsoft identity or your social account such as Facebook and Google. It also allows authorized access to Microsoft application programming interfaces (APIs) or, if you have them, your own APIs.

The Microsoft identity platform uses SAML and other protocols to provide its users with an SSO experience to Azure AD. In the case of SAML, this process is facilitated by the Single Sign-On and Single Sign-Out SAML profiles that allow the platform to exchange authentication and authorization information with service providers or applications.

The Microsoft identity platform supports other SSO protocols, including OAuth and OpenID Connect. It also works with other identity providers so you’re not limited to using Azure AD. It is compatible with a wide variety of applications, including single-page applications, web applications that require user sign-in and call web APIs, protected web APIs, web APIs that call other web APIs, desktop applications, daemon applications, and mobile apps.

Defining Azure SAML 2.0

SAML is an XML-based open standard typically used for SSO access to applications. It has been through three iterations, with the first version coming out in 2002. SAML 1.1 came a year later, and the latest version, SAML 2.0, was introduced in 2005.

Ordinarily, users need to maintain different logon credentials for applications to which they have access. With SAML, users can sign on to several applications using a single set of credentials from their identity provider. This simplified application access is the primary benefit of SAML.

Components of Azure SAML

• User: Submits a service request to the program.
• Web browser: The element with which the user interacts is the
• Web Application: Enterprise web application that utilizes Azure AD as its IdP and supports SAML.
• Tokens: A SAML assertion (sometimes referred to as a SAML token) is a collection of assertions made about the principal by the IdP. (user). It includes properties, permission decision statements, and authentication data.
• Azure AD: A business cloud IdP that offers SAML applications SSO and multi-factor authentication. While delivering authentication services to reliant apps, it synchronizes, maintains, and manages user identification information.

Azure SAML Benefits:

Other benefits of SAML include:

• Improved security: SAML eliminates the use of passwords and provides a single authentication point maintained by a secure identity provider. Digital signatures and public key infrastructure (PKI) are among the tools at its disposal for securing identities from malicious attacks during the handshake process between service and identity providers.
• Improved user experience: Everyone benefits from more convenient usage brought about by SSO access to multiple applications.
• More cost efficiency: With a single identity provider handling SSO access, service providers benefit from lower service costs.
• Smoother password recovery: Password reset and recovery will not be a problem anymore for your IT staff since the identity provider handles all these issues.
• Better interoperability: With extensive SAML 2.0 support, there are higher chances of your applications being interoperable with those from other providers.

Understanding the Sign-On and Sign-Out Processes in Azure SAML

The Single Sign-On and Single Sign-Out SAML profiles are used for SSO in Azure AD.

The single sign-on process is summarized below:

1. The user tries to access the application or cloud-based service provider.

2. The service provider passes an HTTP Redirect binding with an authentication request element to Azure AD.

3. Azure AD authenticates the user and generates a SAML token.

4. Azure AD sends an HTTP post binding back to the service provider, regardless of whether the sign-on is successfully completed or not. The response includes a Status element that conveys if the sign-on is a success or a failure.

5. The service provider verifies the SAML response, then logs the user in.

The single sign-out process is summarized below:

1. The user clicks the logout button on the application or cloud-based service provider’s interface.

2. The service provider passes a Logout Request to Azure AD.

3. Azure AD uses the application’s signing key to verify the Logout Request.

4. Azure AD signs the user out and broadcasts a Logout Request to all service providers in the session.

5. Azure AD sends the Logout Response to the service provider’s Logout URL.

6. The service provider logs off the user.

Configuring SAML for Applications

Depending on the application, SAML configuration in Azure AD can either be simple or complex. To facilitate configuration, you can get the values needed from the application vendor beforehand. However, the process is fairly easy to follow, as outlined in these steps:

1. Set up basic SAML configuration, which includes providing a unique application identifier, reply URL, sign-on URL, relay state and logout URL.

2. Set the user attributes and claims, including the username, email address, and first and last names.

3. Download the SAML signing certificate from Azure AD in Base64 or Raw format.

4. Set up the application to use Azure AD.

5. Test the SSO process to see if it completes successfully.

For well-known applications, Microsoft provides a gallery of configurations that you can follow when setting up these applications for SSO.

Reinforcing Remote Access Security with Parallels RAS

Parallels® Remote Application Server (RAS) uses SAML to provide SSO authentication to your applications, allowing for better application and data security. For securing remote access to your applications and data, Parallels RAS provides multi-factor authentication, data segregation, granular filtering rules, smart card authentication, client group policies, and clipboard restrictions, among other features.

Using the Parallels RAS Reporting Engine, your organization can also generate detailed reports that provide useful insights into usage and user or user-group activities, as well as detect any suspicious activities within your network.

Download the trial, and check for yourself how Parallels RAS can help secure remote access to your networks.

Download the Trial