add my app to azure AD and integrate SSO

Question

hi team,

how can i integrate azure ad SSO with a 3rd party SAAS application that is not included in the default azure ad enterprise gallery.
what are the steps and the prerequisites frm azure ad part and from the SAAS app part to be able to achieve SSO

thanks

Answer 1

Hi there,

It's not clear if you are asking to have your application added to the Azure AD Enterprise Gallery. If that is the case you can follow the process here to sign up for the Microsoft Application Network portal and submit the application, as well as find any prerequisites:

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/v2-howto-app-gallery-listing

If you are asking about another 3rd party SaaS application, the application will need to support either SAML or OIDC to provide SSO. If the application does support either of those, you can still integrate it into Azure AD for SSO, the instructions can be found here:

Overview - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal
SAML Integration - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso
OIDC Integration - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso

If the application does not support either of those, there is the possibility to leverage password-based SSO, as indicated here, however, it would be recommended to request from the app developer to provide support for standards based SSO, either SAML or OIDC:

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications

Answer 2

@eg1995 ,

As far as I understand from your query , you have developed a SaaS application which you would like to integrate with Azure AD SSO and publish in Azure AD enterprise application gallery so that it is available for others to use.

• If you already have an Azure AD tenant , you can use the same , however if you do not have one , you can start with signing up with the Microsoft 365 developer program . An Azure AD/Azure AD B2C tenant will be required to add your application there before publishing to the Azure AD enterprise application galley.
• Depending upon who you are targeting as customers , you can chose whether to publish your application using Azure AD or Azure AD B2C . Azure AD is a directory system which acts as both user store and Auth system for storing users of your own company/organization. Here you need to create your users on your own just as in any organization. In case of Azure AD B2C , it is a Directory + Auth service for general consumers where you get ability to design self-service signup process for your customers and users . Thus if you are targeting individual users from any organization using any identity system to use your application , then you should go with azure AD B2C , however if you are targeting only customers who have existing Azure AD tenant then you should use Azure AD for SSO .
• You would then integrate your application with the Microsoft Identity Platform . We have a video series which talks in depth about how to integrate with the Microsoft Identity platform . We also have a long list of code samples which are available for you to first test with the environment .

Going through this the first time , all of this must seem overwhelming , However it is doable once you do a few labs and understand the scenarios. I would suggest to go through the Microsoft Learn module related to implementing access management for application before reading further so that the following information will be more useful .

• The application registration needs to be done in Azure AD . for using azure AD B2C please use this tutorial. You need to integrate MSAL library to your application in order to integrate with Azure SSO . You can decide the audience of your application depending upon your requirement if you want to make it a single-tenant or multi-tenant application.
• You can also leverage Microsoft Graph API for improving productivity of your applications users within your SaaS product.
• Once you have made the decisions on how you would like to design your application and who your audience is , you need to follow certain prerequisites before you will be able to onboard your application to the Azure application gallery .
  • You need to go through and agree the terms and conditions as mentioned here.
  • Support for single sign-on (SSO) for your application .
  • The enterprise gallery applications must support multiple user configurations and not any specific user . Since your application is a SaaS product you would also need to make sure that you support federated workflows of either OpenID and SAML/WS-Fed . Please check the linked article for planning SSO deployment .
  • If your application is a SAML application then you can follow this quickstart for detailed information however if you decide to use OpenID connect protocol then follow this article. For Open ID Connect, the application must be multitenant and the Azure AD consent framework must be properly implemented for the application.
• Once all the above is done , you need to Create and publish documentation for your application and make it publicly accessible. There are certain guidelines on what all needs to be published and you must adhere by them . Please check linked article.
• After you have tested your application , you should submit your application to the Microsoft Application Network portal . In case of issues , please follow the instructions to send an email to Azure AD SSO Integration Team.
• On the Application registration form enable the features you have implemented in your application . For any issues and support you can email the application onboarding team as listed in the linked article.
• Once done , you can join the partner network which will provide you a platform to reach a wider customer base.

I have included a lot of links to understand more and they all have some significance in this process. I would suggest you to go through the same and then proceed with integration of the application . Going through the small training module actually helps in understanding many scenarios better. The sharepoint site of the app onboarding team is also and excellent resource which can help in integrating application to Azure AD . hope this information is helpful to you . Should you have any further query , feel free to let us know and we will be happy to help further . If this information is helpful , please do accept the post as answer and help improve the relevancy of this content on the Q&A forum.

Thank you .

----------------------------------------------------------------------------------------------------------------------------------------------------------

• Please don't forget to click on whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
• Want a reminder to come back and check responses? Here is how to subscribe to a notification
• If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

Answer 3

thank you guys for the huge explanation.
basically, this is an in house app i don't want to add it for other peoples into azure AD and i'm not following the B2C scenario.

i just have some apps developed ( on premises and on azure app service) and i want to integrate these apps with my azure AD using SSO. previously i integrated dropbox and some other apps because these are already available when i search in azure AD.

my question is how to add my inhouse apps to azure AD for the integration assuming that my apps support SAML.

can u confirm if i just have to create for my apps in azure AD application registrations and thats it? then i can use the SSO and assign azure ad users for my apps or anything else is needed?

thanks again

Answer 4

If your application is built to support SAML, you would add it as a new Enterprise Application, based on the steps found here:

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal

To expand on the steps if they are not clear, in Enterprise applications, select New application from the top menu, and in the Browse Azure AD Gallery select Create your own application. Select Integrate any other application you don't find in the gallery (Non-gallery), enter the name you want for your application, and choose Create. Note that Azure AD will potentially try to suggest gallery applications to you based on how you name it, but you can just ignore those.

Once it's created you will want to choose to Set up single sign on, and in the new blade select SAML. Here you'll be presented with the process of performing the metadata exchange and/or manual configuration of the SAML configuration, which can be found here:

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso

I would suggest walking through the first link, which will eventually land you on the second link provided, but the doc is designed to walk you through the integration.

Let me know if you have any further questions.