This guide will take you through the steps to set up SAML authentication with Azure AD, both on the Azure end and on the Akeyless end.
On your Azure Dashboard, select Enterprise Applications.
Create a new application and select the Create your own application option.
Name your application Akeyless and select the Integrate any application you don't find in the gallery (Non-gallery) option.
Under Getting Started, choose Set up single sign-on.
Select SAML to be transferred to the SAML configuration page.
Insert the following URLs to the configuration:
Identifier (Entity ID):
Reply URL (Assertion Consumer Service URL):
After filling in the details, you will be able to view the SAML Signing Certificate.
Copy the App Federation Metadata URL (starts with
https://login.microsoftonline.com/...) and paste it somewhere accessible, as you will need it for the Akeyless-side steps.
In your SAML application's Attributes & Claims, select Edit to add user & group claims.
Select Add new claim - and fill in the following details:
- Name = email
- Source attribute = user.userprincipalname
- Select Add a group claim - Configure the group claim according to the instructions provided in here. See the following example:
- On the multiple-choice groups-association question, select Security groups.
- Source attribute
sAMAccountName, for Active Directory-synchronized groups).
- under Advanced options, select Customize, and set the name to groups.
The group sub-claim by default will provide the group's Azure AD object identifier (OID), and not the group name - which affects how you should set the groups' sub-claims when configuring Access Roles. If you wish to expose the group display name as an attribute instead, you can either use
sAMAccountName- but only for groups that were synced from an on-premise Active Directory, or you can follow the instruction on how to emit cloud-only group display name.
- Finally, make sure to add and assign the relevant Users and groups to the application.
Now for the Akeyless side:
The Akeyless side of the setup can be done either from the CLI or the console. Choose whichever you find preferable.
Input the following command:
akeyless create-auth-method-saml \ --name '<saml-name>' \ --idp-metadata-url '<your-idp-metadata-url>' \ --unique-identifier email
The IDP metadata URL is the App Federation Metadata URL you copied from the Azure process.
Go to the Auth Methods tab in your console.
Select New > SAML.
Fill in the mandatory parameters:
- Name: The in-system name for the authentication method.
- IDP Metadata URL: The App Federation Metadata URL you copied from the Azure process.
- Unique identifier: The required identifier. In this case, you can use email.
Your SAML authentication should be up and running.
Updated 26 days ago