Configure SSO for Azure AD Application

Sergio Peral 1 Reputation point
2020-04-29T12:24:45.867+00:00

Hello all,
I hope you're staying healthy and safe.

I'm having an issue trying to configure Azure AD SSO for an application. My Service Provider application is not able to authenticate itself because the roles claim configured in Azure AD SSO is not included in the SAML response. I'm following this guide to configure it: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management, but I'm not having success.

These are my configured claims:
https://gyazo.com/f262f7fa23c23ed2adc6a4ffc9e608c0

And these are the claims that come in the SAML response:
https://gyazo.com/120b6156a0287566c9d34cf7f726ae81

I'm also having trouble configuring permissions here: https://developer.microsoft.com/graph/graph-explorer. It seems like the changes I make are not staying.

When I go to the Application Users and groups, the only user is me, with role User. I don't know if it's possible to make myself an administrator, it doesn't come in the list of possible roles, only User, and it's a personal account so I'm actually the administrator.

Hoping that someone is able to help a little bit. Thank you very much in advance.

Best regards,
Sergio.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,608 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,506 Reputation points
    2020-04-29T15:48:43.083+00:00

    @Sergio Peral You need to define the App Roles in Application Manifest. If no role is defined in the app manifest, you get only user role, which is greyed-out. You can add below parameters to the app manifest to add "Writer" role for example. You can specify any role name using below parameters, as per the application requirement.

    7777-capture.jpg

    Once this is done, you can assign the new roles to users while adding them under "Users and groups" in the application or by editing already added users.

    For more details please refer to How to: Add app roles in your application and receive them in the token

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    0 comments No comments

  2. Sergio Peral 1 Reputation point
    2020-04-29T20:17:33.817+00:00

    Thank you very much, with your help I was able to include the Roles claim in my SAML response:

         <Attribute Name="Roles">
            <AttributeValue>Test</AttributeValue>
         </Attribute>
    

    Unfortunately my main issue persists, even though I thought this was the cause of the problem. My issue is exactly this one: https://github.com/opendistro-for-elasticsearch/security/issues/430 (I didn't create it).

    I don't know if you or some of your colleagues are familiar with integrating Elasticsearch + Kibana with Azure AD to implement SSO, but if someone could provide some help with this it would be so great.

    Thank you very much for your help so far.
    Best regards,
    Sergio.


  3. Sergio Peral 1 Reputation point
    2020-04-30T20:16:38.81+00:00

    Hi @AmanpreetSingh-MSFT , thanks for answering.

    I managed to solve that error, I had the wrong id in the application manifest.
    Now I am having this error:

    7824-test.png

    But I have a role in the application:
    7795-test2.png

    So I will keep investigating. Please let me know how I could proceed.

    Thank you very much.

    Regards.

    0 comments No comments

  4. AmanpreetSingh-MSFT 56,506 Reputation points
    2020-05-04T05:35:50.17+00:00

    @Sergio Peral Since the user is assigned, you should not get this error. Could you please try removing the user and assigning it again. If that doesn't help, please try creating a new user under Azure Active Directory > Users and test with that account.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    0 comments No comments

  5. Sergio Peral 1 Reputation point
    2020-05-04T19:11:25.183+00:00

    Hey Aman,
    Thanks for your great help, after re-assigning myself to the role it was detected successfully. Unfortunately, my application still doesn't get authenticated successfully...

    Let me please ask you one last thing... When I goto the Graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer#), I select beta and run this query: https://graph.microsoft.com/beta/servicePrincipals. But the response is kind of empty:

    7826-test.png

    Shouldn't it respond with the details of the application I created, at least? (it should, according to this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management)