Share via

Problem with Entity ID on Entra ID SAML enterprise app created using graph API.

Stephen Howe 40 Reputation points
2024-01-11T16:29:31.4366667+00:00

I'm creating a SAML Enterprise app using the graph API the app looks ok on the Single Sign on page but when I select to edit the SAML Basic Configuration it shows Entity ID as blank even though it is displayed on the signal sign on page. Screenshot from 2024-01-11 16-27-02

This is how I create the app registration and serviceprincipal an ideas on what I'm doing wrong would be appreciated 

    $params = @{
	    displayName = "$appName"
        signInAudience = "AzureADMyOrg"
        web = @{
		redirectUris = @(
			$replyURL
		    )
	    }
    }
    $app = New-MgApplication -BodyParameter $params

    $params = @{
	    appId = $app.appId
        appRoleAssignmentRequired = $true
        preferredSingleSignOnMode = "saml"
        tags = @("HideApp","WindowsAzureActiveDirectoryCustomSingleSignOnApplication","WindowsAzureActiveDirectoryIntegratedApp")
        replyUrls =  @(
			$replyURL
		    )
    }
    $svcPrinc = New-MgServicePrincipal -BodyParameter $params
 
    $params = @{
       identifierUris = @(
			$entityID
	    )
    }
    Update-MgApplication -ApplicationId $app.Id -BodyParameter $params

    Add-MgServicePrincipalTokenSigningCertificate -ServicePrincipalId $svcPrinc.id
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments
Accepted answer
  1. Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator
    2024-01-22T12:32:38.9+00:00

    Hi @Stephen Howe

    Welcome to Q&A platform and thanks for your query.

    I understand that you are created the SAML Enterprise app by using the graph API and you have noticed that Entity ID is shows blank.

    When automating the Registration and Single Sign-On (SSO) setup for a Non-Gallery application using the Graph API, it's best to start with a Gallery application as a template. This lets you create both the Application and its associated servicePrincipal in a single action. If we do not use the template, the Application and servicePrincipal are generated in separate steps, I believe this could be the reason for the issue.

    To create a non-gallery app in Microsoft Graph using SAML based authentication.

    • First, you need to get the ID of the application template for non-gallery apps. You can use the following GET request: GET https://graph.microsoft.com/v1.0/applicationTemplates?$filter=displayName eq 'Any_Gallery_App' the response will contain an ID that looks like this: 8df8e6e-67b2-4cf2-a259-e3dc5476c621.
    • You can use above ID to instantiate your non-gallery app using the following POST request: POST https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiatethe body of the request should contain the display name of your app, for example: {"displayName": "My_NonGallery_App"} the response will contain an object of type applicationServicePrincipal, which has two properties: application and servicePrincipal. You need to copy the id of both of these objects for the next steps.
    • Next, you need to enable SAML based authentication for your app. You can use the following PATCH request: PATCH https://graph.microsoft.com/v1.0/servicePrincipals/object_id_of_servicePrincipal the body of the request should contain the preferred single sign-on mode, which is saml in this case: {"preferredSingleSignOnMode": "saml"} the response will update the servicePrincipal object with the preferredSingleSignOnMode property.
    • Next, you need to set the entity ID and the reply URL for your app. You can use the following PATCH request: PATCH https://graph.microsoft.com/v1.0/applications/object_id_of_application the body of the request should contain the web property, which has two sub-properties: redirectUris and identifierUris. The redirectUris is an array of URLs that the app will redirect to after successful authentication. The identifierUris is an array of URLs that uniquely identify the app. For example: {"web": {"redirectUris": ["https://signin.example.com/saml"]}, "identifierUris": ["https://signin.example.com/saml"]} the response will update the application object with the web property.

    To prevent the issue, make sure to verify the Identifier (Entity ID) of the enterprise app in the Azure Portal.

    I hope this answer helps! If you have any further questions, please feel free to ask.

    Reference: Configure SAML-based single sign-on for your application using the Microsoft Graph API

    Thanks,

    Akhilesh.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.