- 15 Nov 2023
- 2 Minutes to read
Configuring AzureAD as RapidIdentity Trusted IDP
- Updated on 15 Nov 2023
- 2 Minutes to read
You can configure AzureAD as RapidIdentity Trusted IDP. This will allow you to utilize your AzureAD password as an Authentication Method in Authentication Policies.
Login to your Azure portal at https://portal.azure.com
At the top, search for and then click on Azure Active Directory.
In the left pane, click on Enterprise applications
Click New Application
Click Create your own application
App Name: RapidIdentity
Leave the “Integrate any other application you don’t find in the gallery (Non-gallery) checked.
On the Overview page of your new RapidIdentity Enterprise application, click on Assign users and groups to only apply this configuration to your test user(s).
Back on the Overview page, click on 2. Set up single sign on
In Azure, click Upload metadata file and upload the RapidIdentity SP metadata
This will populate the Basic SAML Configuration box with the RapidIdentity Entity ID and ACS URL
In the User Attributes & Claims, you can leave the defaults.
Download the certificate in Base64 format, then copy the Login URL, and the Azure AD Identifier from the places below. You will need to plug these into RapidIdentity in the next steps:
From RapidIdentity, browse to Configuration > General > Settings
On the CORS page, set https://login.microsoftonline.com as an Allowed Origin
Browse to Configuration > Security > Identity Providers > Trusted IDPs and click on Add Trusted Identity Provider.
Plugin the Azure EntityID, Login URL, and Certificate into the boxes below:
The value for Signing Certificate can be retrieved by opening the Azure certificate in Notepad or from the Azure Metadata XML. It will be enclosed in <X509Certificate></X509Certificate> tags in the Metadata file.
On the attribute mappings, create mappings for user.givenname, user.surname, user.mail, and user.userprincipalname
Browse to Configuration > Policies > Authentication to create an authentication policy to force your test user to use the Trusted IDP configuration.
Utilizing AzureAD Login Hints
To pass the user’s email address from RapidIdentity to the Office 365 login page automatically, follow this article Trusted IDP Query Parameter Support
You should now be ready to test logging in with your test account. If you receive a page that only hasthe “Start Over” button, that means that either your attribute mappings are incorrect or the Signing Certificate you are using in RI’s Trusted IDP config is incorrect.
For attribute mappings, try changing the nameID from user.userprincipalname to user.mail in your Azure Enterprise application configuration.
For the Signing Certificate, you can get the correct format for the certificate from the Azure Metadata XML file which is enclosed in the <X509Certificate></X509Certificate> tags.