SAMLL integration to Func app

Question

SAMLL integration to Func app

Ranya Hassan (eHealth NSW) 25

We have built our application using Azure Web App for the front end and a Function App for the backend. Now, we need to start using SAML for authentication.

We have already created an application in Azure Enterprise Applications, and our next step is to integrate SAML with our application. We would like to understand the exact steps required for this integration in order to allow users to authenticate using SAML.

Specifically, we need clarification on:

Are there any specific code changes required in the Function App to support SAML authentication?

Are there any defined steps or configurations we must follow in Azure to enable this integration?

How does the authentication flow work between the Web App, Function App, and Azure Enterprise Application when using SAML?

Anurag Rohikar 3,190 Reputation points Microsoft External Staff Moderator

2025-09-11T10:11:19.6666667+00:00

Hello Ranya Hassan (eHealth NSW),

To help us pinpoint the exact steps for your SAML integration and provide accurate guidance, could you please clarify the following:

Is your frontend Web App using App Service Authentication (Easy Auth) or custom authentication logic?

Does your Function App serve APIs directly to users, or does it only communicate through the frontend?

Would you like the Function App to validate SAML tokens directly, or should it rely on the frontend for authentication?

What tech stack (e.g., .NET, Node.js, Python) are you using for your Function App?

Once we have this information, we can outline the exact configuration steps and confirm if any code changes are needed. Thank you!
Ranya Hassan (eHealth NSW) 25 Reputation points

2025-09-11T23:39:51.1933333+00:00

Hello @Anurag Rohikar thanks for your reply please see the answers :

Is your frontend Web App using App Service Authentication (Easy Auth) or custom authentication logic? We currently use a Function App for authentication, where after a user logs in to the Web App, the Function App checks their user information and verifies authentication and privileges. However, we now need to change this setup and start using SAML for authentication

Does your Function App serve APIs directly to users, or does it only communicate through the frontend? the user only communicate through the frontend

Would you like the Function App to validate SAML tokens directly, or should it rely on the frontend for authentication? We are flexible with both options

What tech stack (e.g., .NET, Node.js, Python) are you using for your Function App? we use python
Anurag Rohikar 3,190 Reputation points Microsoft External Staff Moderator

2025-09-15T08:12:42.84+00:00

Hello Ranya Hassan (eHealth NSW), Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this. Thank you!
Anurag Rohikar 3,190 Reputation points Microsoft External Staff Moderator

2025-09-16T08:00:43.4266667+00:00

Hello Ranya Hassan (eHealth NSW), Following up to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this. Thank you!

Answer accepted by question author

Anurag Rohikar 3,190 Microsoft External Staff Moderator

Hello Ranya Hassan (eHealth NSW),

Thanks for sharing those details this really helps clarify your setup. Based on your answers:

Since users only communicate through the frontend Web App, the recommended approach is to enable SAML authentication on the Web App using Azure App Service Authentication (Easy Auth). This way, Azure handles the SAML handshake and token exchange, and your Web App receives a validated JWT.
Your Function App can then rely on the frontend to pass the JWT in the Authorization header for all API calls. This avoids duplicating authentication logic in Python and keeps your backend lightweight.
For added security, you can also enable App Service Authentication on the Function App, so Azure validates incoming tokens before your Python code executes. That way, you don’t need to manually handle SAML or JWT parsing inside the Function App.
No significant code changes are needed in the Function App if you use Easy Auth just ensure the frontend forwards the token and that CORS is configured.

Documentation & References:

Configure Microsoft Entra Authentication for Azure App Service
Tutorial: Azure AD integration with SAML-based apps
Secure Azure Functions with Azure AD
Authentication and Authorization in Azure App Service
Protect Azure Function with Microsoft Entra ID
Disclaimer: This Video content is not maintained by Microsoft. It is being shared solely for your convenience.

Hope this helps clarify the steps and flow! Please let us know how it goes or if you need more detailed guidance on any step. Thank you!

0 comments

1 additional answer

Your answer

Anurag Rohikar 3,190 Reputation points Microsoft External Staff Moderator

2025-09-11T10:11:19.6666667+00:00

Hello Ranya Hassan (eHealth NSW),

To help us pinpoint the exact steps for your SAML integration and provide accurate guidance, could you please clarify the following:

Is your frontend Web App using App Service Authentication (Easy Auth) or custom authentication logic?

Does your Function App serve APIs directly to users, or does it only communicate through the frontend?

Would you like the Function App to validate SAML tokens directly, or should it rely on the frontend for authentication?

What tech stack (e.g., .NET, Node.js, Python) are you using for your Function App?

Once we have this information, we can outline the exact configuration steps and confirm if any code changes are needed. Thank you!
Ranya Hassan (eHealth NSW) 25 Reputation points

2025-09-11T23:39:51.1933333+00:00

Hello @Anurag Rohikar thanks for your reply please see the answers :

Is your frontend Web App using App Service Authentication (Easy Auth) or custom authentication logic? We currently use a Function App for authentication, where after a user logs in to the Web App, the Function App checks their user information and verifies authentication and privileges. However, we now need to change this setup and start using SAML for authentication

Does your Function App serve APIs directly to users, or does it only communicate through the frontend? the user only communicate through the frontend

Would you like the Function App to validate SAML tokens directly, or should it rely on the frontend for authentication? We are flexible with both options

What tech stack (e.g., .NET, Node.js, Python) are you using for your Function App? we use python
Anurag Rohikar 3,190 Reputation points Microsoft External Staff Moderator

2025-09-15T08:12:42.84+00:00

Hello Ranya Hassan (eHealth NSW), Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this. Thank you!
Anurag Rohikar 3,190 Reputation points Microsoft External Staff Moderator

2025-09-16T08:00:43.4266667+00:00

Hello Ranya Hassan (eHealth NSW), Following up to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this. Thank you!

Answer 1

hi Ranya! great question, and its awesome u are getting this set up for your team ))

so, the first thing to know is that your function app doesnt really handle the saml dance itself. thats actually good news! it means u probably dont need to write a ton of new code for the backend. the frontend web app is gonna be the star of the show here for initiating login.

think of it like this your web app becomes the place where users start. u will configure it to use your enterprise app for saml authentication. https://learn.microsoft.com/azure/app-service/configure-authentication-provider-aad

when a user hits the web app, it redirects them to microsoft to sign in. after they do, the web app gets a token. now, when the web app calls your function app, it can send that token along in the authorization header.

thats where the function app comes in. its job is to validate that token. u can make this super easy by turning on the built in authentication for the function app too. just point it at the same enterprise app! this way, azure can handle the token validation for u automatically. https://learn.microsoft.com/azure/app-service/configure-authentication-provider-aad

no heavy code changes needed, just some configuration magic.

but if u need to handle the token manually for some reason, then yes, ud have to write code to validate the saml response. thats a bit more advanced, and u can use libraries for that. but honestly, try the easy way first ))

as well check this, the flow is pretty straightforward. user goes to web app. web app redirects to entra id. user signs in. entra id posts a token back to the web apps callback url. your web app now has a session. then, when calling the function app, it sends the token. the function app checks with entra id to make sure its legit.

worth looking into the exact claims u need in that token. u might wanna configure your enterprise app to send specific roles or groups in the token so your function app can make authorization decisions.

this might help in other tools too, understanding how tokens are passed around.

hope this clears up the steps for u! its mostly about configuration in the azure portals for both apps.

Best regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

https://ctrlaltdel.blog/

Ranya Hassan (eHealth NSW) 25 Reputation points

2025-09-11T23:43:48.1633333+00:00

Thanks @Alex Burlachenko for your reply. I have a question regarding privileges can we use SAML to define user privileges? For example, if we have different services in the frontend and we want to allow a specific group of users to access Service A but not Service B, how can we achieve this using SAML? Also, is there any documentation available about SAML integration and how we can leverage it for this purpose?

Share via

SAMLL integration to Func app

1 additional answer

Your answer