Azure (AD) SSO Login with UniFed IDP
Step 1:
Login & Navigate to the specific tenant where the application needs to be added.
Step 2:
Click "Add Application" A pop-up will appear, prompting you to select the sign-in method
Step 3:
Provide an application name.
- Set Name ID as mandatory, specifying "Federation ID" (required for Azure).
- Optionally, add a description for the application
Step 4:
Add Service Provider (SP) Metadata We have three options to add metadata to configure the Service Provider application with UniFed (acting as the Identity Provider - IDP):
- Upload Metadata File: Upload a metadata file to automatically retrieve the Entity ID of the IDP application.
- Use Metadata Link: Enter the Service Provider's metadata link and click Verify to fetch the Entity ID.
- Custom Data Entry: Manually enter the Entity ID along with other required fields and click Fetch.
Map UniFed attributes with the Service Provider application’s attributes as needed.
Step 5:
Attribute mapping & Authentication Method setup
- Map the UniFed attribute (
Federation IDin the schema) with the corresponding Application Attribute (ImmutableId). - In the authentication setup, select the primary authentication method as Email + OTP to enable login.
Step 6:
Save and Configure IDP Metadata
- After entering all required details, click Save.
- Complete the setup by configuring UniFed’s IDP metadata with the Service Provider application.
Step 7:
Click on Edit in the application, and the Metadata file will be available. Download it for further use in the application configuration.
Step 8:
Application Configuration - Azure
Login to Azure Application
Navigate to the Cloud Shell option
Step 9:
Click on the option Cloud shell and enter the command to connect for MgGraph
Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
Step 10:
After connecting, click on Manage files > Upload.
Step 11:
- Upload the Metadata file that was downloaded from UniFed.
- Save the following configuration script as a
.ps1file:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
$domainId = "{your domain.com}"
$xml = [Xml](Get-Content {Upload File name downloaded from UniFed}.xml)
$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
$issuerUri = $xml.EntityDescriptor.entityID
$signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$signoutUri = "{Signout URL downloaded from UniFed Metadata File}"
$displayName = "Name to Display"
Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
$domainAuthParams = @{
DomainId = $domainId
IssuerUri = $issuerUri
DisplayName = $displayName
ActiveSignInUri = $signinUri
PassiveSignInUri = $signinUri
SignOutUri = $signoutUri
SigningCertificate = $cert
PreferredAuthenticationProtocol = "saml"
federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp"
}
New-MgDomainFederationConfiguration @domainAuthParams
Step 12: Run the PowerShell Script
After uploading the file, run the script with the following command
./{Name of the script file save in the previous step}.ps1
once the script is executed verify the integration process.
Step 13:
Use the following command to verify the configuration
Get-MgDomainFederationConfiguration -DomainId {your domain.com} |fl
