Azure DevOps on-prem - SSO

Question

Azure DevOps on-prem - SSO

Dabrowski Adam MTPL SBC 0

Hello support team,

I am trying to setup application proxy via Azure AD Connector.

Kindly please provide metadata require below:

User's image

Rakesh Mishra 4,880 Reputation points Microsoft External Staff Moderator

2025-11-26T10:43:57.5933333+00:00

Hi @Dabrowski Adam MTPL SBC , Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Could you please confirm if Adam's response was able to assist you. If not, please do let me know, I will assist you further on this.

3 answers

Your answer

Rakesh Mishra 4,880 Reputation points Microsoft External Staff Moderator

2025-11-26T10:43:57.5933333+00:00

Hi @Dabrowski Adam MTPL SBC , Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Could you please confirm if Adam's response was able to assist you. If not, please do let me know, I will assist you further on this.

Answer 1

If you are publishing Azure DevOps Server (on-prem) through Azure AD Application Proxy, the SAML metadata does not come from Azure DevOps itself. The metadata you need is generated by Azure AD, because Azure AD is acting as the identity provider.

To get the metadata required by Azure DevOps Server:

Go to the Enterprise Application you created for Azure DevOps SSO.

Open Single sign-on → SAML.

Under SAML Certificates, download: • Federation Metadata XML → this is the metadata file you must upload to Azure DevOps Server
In the same SSO page, copy the following values: • Login URL • Azure AD Identifier • Logout URL (optional)

These are the only values Azure DevOps Server needs to complete the SAML configuration.

Azure DevOps Server does not provide its own metadata endpoint. You configure it manually using the XML and URLs provided by Azure AD.

If the metadata download button is greyed out, make sure:

• A SAML certificate is generated (status must be “Active”)

• You saved the Basic SAML Configuration section first

After that, Azure AD will allow you to download the metadata file.

Dabrowski Adam MTPL SBC 0 Reputation points

2025-11-26T21:38:16.3366667+00:00

Hello Adam,I have generated metadata file.

Can you please explain how it should be now imported to AzureDevops Server?

Best regards,

Answer 2

Dabrowski Adam MTPL SBC 0

Hello Adam,

Thank you so much for you detailed answer.

I will try and will let you know about results.

Best regards,

AD

Answer 3

Dabrowski Adam MTPL SBC 0

Hello Adam,I have generated metadata file.

Can you please explain how it should be now imported to AzureDevops Server?

Best regards,

AD

Pravallika KV 6,085 Reputation points Microsoft External Staff Moderator

2025-11-27T03:10:14.9633333+00:00
Hi Dabrowski Adam MTPL SBC,

Follow below steps to import Azure AD metadata into Azure DevOps Server:

1. Open Azure DevOps Server Administration Console

On your Azure DevOps Server application tier: Launch Azure DevOps Administration Console

Go to Application Tier => Authentication, select SAML as the authentication mode.

2. Upload the Federation Metadata XML

In the SAML configuration window, you will see an option for: Identity Provider metadata or "Upload metadata file"

Upload the Federation Metadata XML you downloaded from Azure AD.

Azure DevOps will parse this file and automatically populate:

Azure AD Identifier - Entity ID

Login URL - SAML Redirect URL

Logout URL

Signing certificate used by Azure AD

3. Provide the Azure DevOps Server SAML settings BACK to Azure AD

After uploading the metadata XML, Azure DevOps will show its own values that Azure AD requires:

Assertion Consumer Service URL (Reply URL)

Entity ID for Azure DevOps Server

Sign-on URL

Copy these URLs and update the Basic SAML Configuration in the Azure AD Enterprise Application.

4. Restart Azure DevOps Server

After saving the SAML configuration, restart:

Azure DevOps Server application pool

Azure DevOps Server job agent

Or simply reboot the server if required.

5. Test the sign-in

Navigate to the Application Proxy external URL you configured. Azure AD should now redirect to Azure DevOps Server using SAML authentication.
Dabrowski Adam MTPL SBC 0 Reputation points

2025-11-27T10:05:18.3533333+00:00

HI Pravallika KV,

Thank you so much for your answer.

I have checked my app-tier and run Azure DevOps Server Administration Console as you suggested. However there is not option to change authentication method from current on (Negotiate-Kerberos) to SAML.

I am running Azure DevOps 2022.2.

Please help.
Pravallika KV 6,085 Reputation points Microsoft External Staff Moderator

2025-11-28T09:17:25.5433333+00:00
Dabrowski Adam MTPL SBC,

Apologies for the delay in response.

Please confirm the following prerequisites:

HTTPS must be enabled on the Application Tier:

SAML authentication only works over HTTPS. If your Azure DevOps Server is currently running on HTTP, the SAML option will not appear.

You must configure a valid TLS certificate and bind it to the Azure DevOps website in IIS, then re-run the Admin Console.

Your deployment must be “Azure DevOps Server with Search”:

If you installed Azure DevOps Server without Search, SAML is not enabled in the UI.

You can verify this in the Admin Console under:

Application Tier => Search

If Search is not configured, you must enable it:

Use Azure DevOps Server Configuration Wizard

Choose Configure Search

Complete the Search configuration

Once Search is enabled, restart the Admin Console and check Authentication again.

Your server must be upgraded to Azure DevOps Server 2022.1 or later.
Dabrowski Adam MTPL SBC 0 Reputation points

2025-11-28T09:55:36.8133333+00:00

HI Pravallika KV,

HTTPS on our app-tier is enabled and dedicated SSL certificated is set in binding options in IIS. Search engine is also enabled (service running on separated server).

Please check below:
Pravallika KV 6,085 Reputation points Microsoft External Staff Moderator

2025-12-02T21:41:44.3466667+00:00

Hi Dabrowski Adam MTPL SBC,

Thanks for the details. Apologies for the delay in response.

Did you try restarting the Admin Console and check Authentication again?
Rakesh Mishra 4,880 Reputation points Microsoft External Staff Moderator

2025-12-05T12:21:18.46+00:00

Hi Dabrowski Adam MTPL SBC, following up to see if you had a chance to check previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.

Share via

Azure DevOps on-prem - SSO

3 answers

Your answer