|
| 1 | +--- |
| 2 | +title: 'Quickstart: Enable single sign-on for an enterprise application' |
| 3 | +titleSuffix: Azure AD |
| 4 | +description: Enable single sign-on for an enterprise application in Azure Active Directory. |
| 5 | +services: active-directory |
| 6 | +author: omondiatieno |
| 7 | +manager: CelesteDG |
| 8 | +ms.service: active-directory |
| 9 | +ms.subservice: app-mgmt |
| 10 | +ms.topic: quickstart |
| 11 | +ms.workload: identity |
| 12 | +ms.date: 09/21/2021 |
| 13 | +ms.author: jomondi |
| 14 | +ms.reviewer: ergleenl |
| 15 | +ms.custom: contperf-fy22q2, mode-other |
| 16 | +#Customer intent: As an administrator of an Azure AD tenant, I want to enable single sign-on for an enterprise application. |
| 17 | +--- |
| 18 | + |
| 19 | +# Quickstart: Enable single sign-on for an enterprise application |
| 20 | + |
| 21 | +In this quickstart, you use the Azure Active Directory Admin Center to enable single sign-on (SSO) for an enterprise application that you added to your Azure Active Directory (Azure AD) tenant. After you configure SSO, your users can sign in by using their Azure AD credentials. |
| 22 | + |
| 23 | +Azure AD has a gallery that contains thousands of pre-integrated applications that use SSO. This quickstart uses an enterprise application named **Azure AD SAML Toolkit** as an example, but the concepts apply for most pre-configured enterprise applications in the gallery. |
| 24 | + |
| 25 | +It is recommended that you use a non-production environment to test the steps in this quickstart. |
| 26 | + |
| 27 | +## Prerequisites |
| 28 | + |
| 29 | +To configure SSO, you need: |
| 30 | + |
| 31 | +- An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). |
| 32 | +- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal. |
| 33 | +- Completion of the steps in [Quickstart: Create and assign a user account](add-application-portal-assign-users.md). |
| 34 | + |
| 35 | +## Enable single sign-on |
| 36 | + |
| 37 | +To enable SSO for an application: |
| 38 | + |
| 39 | +1. Go to the [Azure Active Directory Admin Center](https://aad.portal.azure.com) and sign in using one of the roles listed in the prerequisites. |
| 40 | +1. In the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant. Search for and select the application that you want to use. For example, **Azure AD SAML Toolkit 1**. |
| 41 | +1. In the **Manage** section of the left menu, select **Single sign-on** to open the **Single sign-on** pane for editing. |
| 42 | +1. Select **SAML** to open the SSO configuration page. After the application is configured, users can sign in to it by using their credentials from the Azure AD tenant. |
| 43 | +1. The process of configuring an application to use Azure AD for SAML-based SSO varies depending on the application. For any of the enterprise applications in the gallery, use the link to find information about the steps needed to configure the application. The steps for the **Azure AD SAML Toolkit** are listed in this quickstart. |
| 44 | + |
| 45 | + :::image type="content" source="media/add-application-portal-setup-sso/saml-configuration.png" alt-text="Configure single sign-on for an enterprise application."::: |
| 46 | + |
| 47 | +1. In the **Set up Azure AD SAML Toolkit 1** section, record the values of the **Login URL**, **Azure AD Identifier**, and **Logout URL** properties to be used later. |
| 48 | + |
| 49 | +## Configure single sign-on in the tenant |
| 50 | + |
| 51 | +You add sign-in and reply URL values, and you download a certificate to begin the configuration of SSO in Azure AD. |
| 52 | + |
| 53 | +To configure SSO in Azure AD: |
| 54 | + |
| 55 | +1. In the Azure portal, select **Edit** in the **Basic SAML Configuration** section on the **Set up single sign-on** pane. |
| 56 | +1. For **Reply URL (Assertion Consumer Service URL)**, enter `https://samltoolkit.azurewebsites.net/SAML/Consume`. |
| 57 | +1. For **Sign on URL**, enter `https://samltoolkit.azurewebsites.net/`. |
| 58 | +1. Select **Save**. |
| 59 | +1. In the **SAML Signing Certificate** section, select **Download** for **Certificate (Raw)** to download the SAML signing certificate and save it to be used later. |
| 60 | + |
| 61 | +## Configure single sign-on in the application |
| 62 | + |
| 63 | +Using single sign-on in the application requires you to register the user account with the application and to add the SAML configuration values that you previously recorded. |
| 64 | + |
| 65 | +### Register the user account |
| 66 | + |
| 67 | +To register a user account with the application: |
| 68 | + |
| 69 | +1. Open a new browser window and browse to the sign-in URL for the application. For the **Azure AD SAML Toolkit** application, the address is `https://samltoolkit.azurewebsites.net`. |
| 70 | +1. Select **Register** in the upper right corner of the page. |
| 71 | + |
| 72 | + :::image type="content" source="media/add-application-portal-setup-sso/toolkit-register.png" alt-text="Register a user account in the Azure AD SAML Toolkit application."::: |
| 73 | + |
| 74 | +1. For **Email **, enter the email address of the user that will access the application. For example, in a previous quickstart, the user account was created that uses the address of `[email protected]`. Be sure to change `contoso.com` to the domain of your tenant. |
| 75 | +1. Enter a **Password** and confirm it. |
| 76 | +1. Select **Register**. |
| 77 | + |
| 78 | +### Configure SAML settings |
| 79 | + |
| 80 | +To configure SAML setting for the application: |
| 81 | + |
| 82 | +1. Signed in with the credentials of the user account that you created, select **SAML Configuration** at the upper-left corner of the page. |
| 83 | +1. Select **Create** in the middle of the page. |
| 84 | +1. For **Login URL**, **Azure AD Identifier**, and **Logout URL**, enter the values that you recorded earlier. |
| 85 | +1. Select **Choose file** to upload the certificate that you previously downloaded. |
| 86 | +1. Select **Create**. |
| 87 | +1. Copy the values of the **SP Initiated Login URL** and the **Assertion Consumer Service (ACS) URL** to be used later. |
| 88 | + |
| 89 | +## Update single sign-on values |
| 90 | + |
| 91 | +Use the values that you recorded for **SP Initiated Login URL** and **Assertion Consumer Service (ACS) URL** to update the single sign-on values in your tenant. |
| 92 | + |
| 93 | +To update the single sign-on values: |
| 94 | + |
| 95 | +1. In the Azure portal, select **Edit** in the **Basic SAML Configuration** section on the **Set up single sign-on** pane. |
| 96 | +1. For **Reply URL (Assertion Consumer Service URL)**, enter the **Assertion Consumer Service (ACS) URL** value that you previously recorded. |
| 97 | +1. For **Sign on URL**, enter the **SP Initiated Login URL** value that you previously recorded. |
| 98 | +1. Select **Save**. |
| 99 | + |
| 100 | +## Test single sign-on |
| 101 | + |
| 102 | +You can test the single sign-on configuration from the **Set up single sign-on** pane. |
| 103 | + |
| 104 | +To test SSO: |
| 105 | + |
| 106 | +1. In the **Test single sign-on with Azure AD SAML Toolkit 1** section, on the **Set up single sign-on** pane, select **Test**. |
| 107 | +1. Sign in to the application using the Azure AD credentials of the user account that you assigned to the application. |
| 108 | + |
| 109 | +## Clean up resources |
| 110 | + |
| 111 | +If you are planning to complete the next quickstart, keep the enterprise application that you created. Otherwise, you can consider deleting it to clean up your tenant. |
| 112 | + |
| 113 | +## Next steps |
| 114 | + |
| 115 | +Learn how to configure the properties of an enterprise application. |
| 116 | +> [!div class="nextstepaction"] |
| 117 | +> [Configure an application](add-application-portal-configure.md) |
0 commit comments