Microsoft Entra ID (Azure Active Directory) SAML

Owned by Karl Henselin
Last updated: Feb 01, 2024 by Indrayan Chakraborty
3 min read

Here are the steps to setting up SAML 2.0 SSO with Microsoft Entra ID:

Login to portal.azure.com

Go to Microsoft Entra ID.

Create a new Enterprise Application.

Create your own custom application.

Give a name, choose Integrate any other application, and click Create.

You will be on the Overview Page. You can copy the application ID now, as you will need it in a few minutes.

Then click the Get started link in Set up single sign on.

Edit the Basic SAML Configuration.

Fill in an identifier, and reply urls.

 

Download the certificate and install it in a keystore. The keystore will be specified in the SSO Realm.

Do not place the keystore in apache-tomcat-flexdeploy. This folder is cleaned up on FlexDeploy upgrades.

You can import it into the same keystore which was created as part of the HTTPS configuration. If you didn’t use one, then you can create a keystore. If you are a SaaS customer, contact support to update your certificate.

#Create a keystore (if needed) /u01/java/jdk8/bin/keytool -genkey -alias mykeystorealias -keyalg RSA -keystore /home/oracle/flexdeploy.keystore
# import the Azure certificate into your keystore /u01/java/jdk8/bin/keytool -import -alias azad -file /var/tmp/azad.cert -keystore /home/oracle/flexdeploy.keystore

 

Also copy the App Federation Metadata Url. You will need this in the sso.config file.

 

Replace capitalized text with appropriate values.

  • FLEXDEPLOY_HOME - Directory on the server where FlexDeploy is installed.

  • KEYSTORE_PASSWORD - The Java key store password that you used when creating the keystore above.

  • PRIVATE_KEY_PASSWORD -The private key password that you used when importing the Azure Certificate, which may be different from the keystore password.

  • METADATA_URL - The App Federation Metadata Url (e.g. https://login.microsoftonline.com/<tenant-id>/federationmetadata/2007-06/federationmetadata.xml?appid=<app-id>).

  • FLEXDEPLOY_HOST - FlexDeploy application host

  • FLEXDEPLOY_PORT - FlexDeploy application port

  • APPLICATION_ID - Azure application/client id Copy from the Azure portal on the Overview Page.

    •  

The Active Directory users or groups of the users (who are trying to login to FlexDeploy), should be associated to the Enterprise Application. Otherwise, users will get the below error while logging in.

Example fdsso.config file for Azure Active Directory

Change log

  • FlexDeploy 6.0.0.0 - The values for excludedPathMatcher.excludedPath, and logout.defaultUrl have changed

Store the sso configuration file in the flexdeploy folder, not the apache-tomcat-flexdeploy folder. Otherwise the installer will remove it.

callbackFilter.defaultUrl = /flexdeploy saml2Config = org.pac4j.saml.config.SAML2Configuration saml2Config.keystorePath = saml2Config.keystorePassword = KEYSTORE_PASSWORD saml2Config.privateKeyPassword = PRIVATE_KEY_PASSWORD saml2Config.identityProviderMetadataPath = METADATA_URL # Adjust this based on your maximum session lifespan in Microsoft Settings. If too short, you will get the error: Authentication issue instant is too old or in the future saml2Config.maximumAuthenticationLifetime = 76000 saml2Config.serviceProviderEntityId = spn:APPLICATION_ID saml2Config.serviceProviderMetadataPath = FLEXDEPLOY_HOME/sso/FlexDeployMetadata.xml saml2Client = org.pac4j.saml.client.SAML2Client saml2Client.configuration = $saml2Config clients.callbackUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/callback clients.clients=$saml2Client isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher excludedPathMatcher.excludedPath = /next/#/login config.authorizers = admin:$isAuthenticatedAdmin config.matchers = excludedPath:$excludedPathMatcher ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter ssoFilter.config = $config ssoFilter.clients = SAML2Client ssoFilter.matchers = nocache ssoFilter.authorizers = admin logout = io.buji.pac4j.filter.LogoutFilter logout.config = $config logout.localLogout = true logout.centralLogout = false logout.defaultUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/next/#/home

 

The following macros are not currently supported in the footer:
  • style