SAML App Registration in EntraID
Last updated
Last updated
This page describes how to create an App Registration in Microsoft Entra ID to be used as a SAML Identity Provider in WEM.
Microsoft does make changes to their approaches, so we can not guarantee that what we describe here will remain exactly the same. But it should help...
Go to https://entra.microsoft.com/ (you need to have admin permissions).
In the sidebar menu, find the Applications and within that option, go to Enterprise Applications.
Click on New Application.
Click on Create your own application.
Add a name, select "Integrate any other application you don't find in the gallery (Non-gallery)" and click Create.
Wait until the app is created.
In the Enterprise Application, you assign users and groups that are allowed to login using this specific Application (SSO in your WEM portal). Depending on your Active Directory / Entra ID Plan, you can only use specific users (the basic plans). To assign groups, you need the more expensive plans (and users with appropriate licenses). The Business Standard license plan allows you to add users only.
So, select users (and groups if possible) and click the Assign button at the bottom, so when you return to the overview of Users and Groups, you see the users and groups.
Back on the overview, click 2. Set up Single Sign On and select the SAML option.
At 1. Basic Saml Configuration, click edit. Here you need to enter the Identifier (Entity ID) to identify your application to Entra ID, and this will also be part of the settings in WEM. Microsoft Entra ID supports the urn:// structure as in the example, and we offten use a guid with a domain - for example, you can use the Application ID from the overview and add your domain:
urn://{Application-Id}.wem.io
The second required item is the Reply URL. This will hold the URL(s) from your WEM portal that will receive the authentication token.
To be able to correctly fill this Reply URL, you should already have created the SAML provider element in your WEM Project - or you can enter the values here now and make sure that you use the same name in WEM - the Reply Url for any WEM portal is in the following format:
https://{portal-hostname}/auth/saml/{saml-name you set in WEM}
You should already have a staging hostname and perhaps a live hostname. You can enter both in the same App Registration here, so both staging and live portals use the same App Registration and thus cater for the same set of users/groups. If you want to have different sets of users/groups for staging and for live, you must create 2 different App Registrations!
Hit the save button and close the panel.
In this part, Attributes and Claims, you provide the fields that hold the values for a specific Identity that will be provided to your WEM application. By default you have the Unique User Identifier (usually the user principal name), email address and name-attributes. Here you can add other fields as well or change the existing claims to use other fields from the Identity.
This is where you make the settings for the Token Signing and Verification Certificates. You do not need to change anything here.
The default setting for Verification is not required - if this is changed, you also need to change the corresponding setting in your WEM SAML settings.
The important part in this section, is the App Federation Metadata Url. It looks something like
https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={app-id}
You should copy this url, because with this url you can quickly set up the SAML element in your WEM Project, AND this url is required for the option to "Fetch certificates at Runtime" - which is a necessary option when using Microsoft Entra ID or Azure AD!
In this part, you will see the Login Url, Microsoft Entra Identifier and Logout Url that you can use in your SAML Element settings - BUT, if you use the App Federation Metadata Url to setup your SAML element, that will automatically set these items correctly.
This should provide all you need to know to set up the SAML within Microsoft Entry ID, or at least provide insight into the necessary actions and settings.