This guide will walk you through configuring HelloID and Microsoft Azure for SAML single sign-on. To Federate Microsoft Azure with HelloID, a custom domain is required. The default domain *.onmicrosoft.com cannot be used for federation. To add a domain in Microsoft Azure go to the Admin Center > Settings > Domains.
Before proceeding with the federation, make sure there is a backup admin account that is not a member of the domain which you want to federate. The following screenshot provides an example of these two types of accounts.
- that is going to be federated.
- Backupadmin: Member of the *.onmicrosoft.com domain, the default domain.
Create a Service Provider Application for Microsoft Azure in HelloID
- Login as Administrator in the HelloID Portal and press manage portal. Go to Settings > Certificates and press Create Self-Signed Certificate to create a Certificate for Microsoft Azure. See How to use certificates for more information about creating and using certificates.
- Go to Applications > Applications and press Open application catalog.
- Search for the Microsoft Azure SAML application template and press Add.
- The Default settings do not need to be changed. Press Next to continue.
- Select the certificate you created at the start of this guide and press Next.
- In the Credential tab, select Credentials are configured by admin. Change the Username value to be User's AD UPN and the Email value to be User's contact email. Click Next to continue.
- In the self service tab, click Next to go to the next step.
- Click Save to complete the setup.
- Press Edit to edit the newly created Microsoft Azure application.
- Press Download metadata. A file with all needed information for Microsoft Azure will be created and downloaded.
Federate Microsoft Azure with HelloID
- Download the Windows Azure Active Directory Module for Windows PowerShell: https://technet.microsoft.com/library/dn975125.aspx
- Run the Windows Azure Active Directory Module for Windows PowerShell as Administrator.
- To begin connecting to Microsoft Azure, enter the following command:
$cred=Get-CredentialA Popup will appear to enter the credentials. Enter the credentials of the backup admin account and press OK. (The credentials are now available by using the variable $cred)
- To establish a connection with Microsoft Azure enter:
Connect-MsolService –Credential $cred
- Check if the domain is managed by Microsoft Azure. If the domain is already federated it needs to be reverted to managed. This can be checked with the command:
To revert a domain's Federation state to "Managed" use the following command:
Set-MSOLDomainAuthentication -Authentication Managed -DomainName <federated domain name>
- Open the downloaded metadata file and make note of the following settings:
$dom = Your Microsoft Azure domainEnter the information in Notepad so that the settings can be copied and pasted in PowerShell.
$url = Post-Endpoint URL (2)
$uri = Entity ID (1)
$logouturl = Entity ID with /Authentication/Signoff e.g. https://*.helloid.com/Authentication/Signoff
$cert = Copy paste the certificate (3)
- Paste the information in PowerShell and press Enter. This will create the PowerShell variables necessary for the command in the next step.
- To create the federation with the configured strings enter the command:
Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $dom
-Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert
-IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
- To check if all settings have been configured correctly use the command:
Get-MsolDomainFederationSettings -DomainName $dom
- Go to: https://login.microsoftonline.com and enter a user in the federated domain. The authentication request will be routed to HelloID.
- The user will be logged in to Microsoft Azure portal.