Configure SSO for Azure AD Application

Question

Hello all,
I hope you're staying healthy and safe.

I'm having an issue trying to configure Azure AD SSO for an application. My Service Provider application is not able to authenticate itself because the roles claim configured in Azure AD SSO is not included in the SAML response. I'm following this guide to configure it: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management, but I'm not having success.

These are my configured claims:
https://gyazo.com/f262f7fa23c23ed2adc6a4ffc9e608c0

And these are the claims that come in the SAML response:
https://gyazo.com/120b6156a0287566c9d34cf7f726ae81

I'm also having trouble configuring permissions here: https://developer.microsoft.com/graph/graph-explorer. It seems like the changes I make are not staying.

When I go to the Application Users and groups, the only user is me, with role User. I don't know if it's possible to make myself an administrator, it doesn't come in the list of possible roles, only User, and it's a personal account so I'm actually the administrator.

Hoping that someone is able to help a little bit. Thank you very much in advance.

Best regards,
Sergio.

Answer 1

In addition, is it correct that the role included in the SAML response is referencing the one I have in the Application Manifest and the one in the third screenshot below? Are they all the same role? Maybe the Test role in the SAML response is some "empty" role and I'm referencing different things that have the same name...

Role claim included in the SAML response:

Role in the application manifest:

Role definition:

I'm sorry for asking so many questions but I am really lost. Thank you in advance for your effort.

Best regards.

Answer 2

Hey Aman,
Thanks for your great help, after re-assigning myself to the role it was detected successfully. Unfortunately, my application still doesn't get authenticated successfully...

Let me please ask you one last thing... When I goto the Graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer#), I select beta and run this query: https://graph.microsoft.com/beta/servicePrincipals. But the response is kind of empty:

Shouldn't it respond with the details of the application I created, at least? (it should, according to this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management)

Answer 3

@Sergio Peral Since the user is assigned, you should not get this error. Could you please try removing the user and assigning it again. If that doesn't help, please try creating a new user under Azure Active Directory > Users and test with that account.

-----------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Answer 4

Hi @AmanpreetSingh-MSFT , thanks for answering.

I managed to solve that error, I had the wrong id in the application manifest.
Now I am having this error:

But I have a role in the application:

So I will keep investigating. Please let me know how I could proceed.

Thank you very much.

Regards.

Answer 5

Thank you very much, with your help I was able to include the Roles claim in my SAML response:

     <Attribute Name="Roles">
        <AttributeValue>Test</AttributeValue>
     </Attribute>

Unfortunately my main issue persists, even though I thought this was the cause of the problem. My issue is exactly this one: https://github.com/opendistro-for-elasticsearch/security/issues/430 (I didn't create it).

I don't know if you or some of your colleagues are familiar with integrating Elasticsearch + Kibana with Azure AD to implement SSO, but if someone could provide some help with this it would be so great.

Thank you very much for your help so far.
Best regards,
Sergio.