Using Microsoft Entra ID as a SAML Provider

The SAML protocol requires the identity provider (Microsoft identity platform) and the service provider (the application) to exchange information. When configuring Microsoft Entra ID as a SAML provider, the basic steps to set up the foreign system are the same as provided in Setting up a SAML Integration.

This procedure also applies to the use of legacy Azure AD as a SAML Provider.

Prerequisites

  • You will need access to your organization's Entra ID tenant. Refer to the Microsoft documentation if required.

  • The Microsoft identity platform performs identity and access management (IAM) only for registered applications. Registering your new custom application establishes a trust relationship between your application and the Microsoft identity platform, with Entra.

    Refer to Register an application in Microsoft Entra ID for complete instructions for registering your custom application.

  • Verify Privilege Manager and Verify Privilege Manager agent version 12.0 is required.

Additional details for registering your custom application can be found in the IBM Security Support Knowledge Base.

Configuring the SAML Provider

This procedure consists of the steps for configuring Verify Privilege Manager to exchange information with the Microsoft identify platform. Dialogs are presented that correlate these configuration parameters, as requested in the configuration.

Additional details for identify parameters in your custom application, as they are requested in Verify Privilege Manager, can be found in the IBM Security Support Knowledge Base.

  1. Select Admin | Configuration | Foreign Systems. In the Foreign System tab, select Azure AD SAML Identity Provider. Click Create.

  2. Assign a Name for the provider and supply the Identity Provider entity id. Click Create.

    The Identity Provider entity id corresponds to the Single Sign On URL configured in your Entra ID tenant.

    Verify Privilege Manager Configuration Entra ID Tenant
    Identity Provider Entity id Single Sign On URL

  3. Enter the following parameters for your provider configuration.

    Verify Privilege Manager Configuration Entra ID Tenant
    Issuer Microsoft Entra Identifier
    Certificate Certificate (Base 64)
    Privilege Manager Entity ID Identifier (Entity ID)

  4. Set Create Users Automatically to Yes. For all users approved for this provider, a user account is automatically created. Click Create.

    After the provider is created, you need to assign rights to these users.