Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect

Microsoft Entra ID External SAML Partner

   October 29, 2024

Microsoft Entra ID External SAML Partner is a feature within Microsoft Entra ID (formerly Azure Active Directory) that enables organizations to integrate and authenticate users from external partner organizations using the Security Assertion Markup Language (SAML). SAML is an open standard that allows secure, single sign-on (SSO) authentication between trusted organizations, making it ideal for Business-to-Business (B2B) scenarios where partners need access to specific resources without creating duplicate accounts.

In this guide, we’ll walk through the key concepts, features, configurations, and practical examples of setting up an external SAML partner in Microsoft Entra ID.

Overview of External SAML Partner in Microsoft Entra ID

What is a SAML Partner in Entra ID?

A SAML Partner in Microsoft Entra ID allows external users from a partner organization to authenticate and access specific resources in your organization. The partner’s identity provider (IdP) handles the user authentication, and Microsoft Entra ID accepts the authentication assertion through SAML.

This setup enables external users to access resources with their existing credentials, avoiding the need to create and manage separate accounts in your directory.

Key Concepts

  1. Identity Provider (IdP): The organization that holds and manages user identities. In this case, the partner organization acts as the IdP, authenticating its users and sending a SAML token to Entra ID.
  2. Service Provider (SP): The organization providing the resource. Here, your organization acts as the SP, accepting the SAML token and granting access to resources based on the received assertion.
  3. SAML Assertion: A digital document containing user identity information and authentication status, which the IdP sends to the SP. Entra ID uses this assertion to authenticate external users.
  4. Single Sign-On (SSO): Allows users to sign in once with their existing credentials and access multiple applications within the partner organization.

Key Features of Microsoft Entra ID External SAML Partner

  1. Seamless Single Sign-On (SSO): External users can access your organization’s resources with their own credentials from their home organization, avoiding the need to create separate accounts.
  2. Secure Federated Access: With SAML-based federation, you ensure that only verified users from trusted partner organizations can access your resources.
  3. Centralized Access Management: Entra ID manages external user permissions and policies, allowing for centralized control over access to applications and data.
  4. Conditional Access Policies: Enforce security policies such as Multi-Factor Authentication (MFA) or location-based access to secure external access.
  5. Simplified User Lifecycle Management: When users leave the partner organization, they lose access automatically because their authentication is managed by their own IdP.

Step-by-Step Configuration of an External SAML Partner in Microsoft Entra ID

Prerequisites

  1. Microsoft Entra ID Premium License: Some advanced features, such as Conditional Access, may require a Microsoft Entra ID Premium P1 or P2 license.
  2. Partner Organization with SAML IdP: The external partner organization must have an identity provider that supports SAML 2.0. Popular IdPs include Okta, Ping Identity, and other SAML-compliant solutions.
  3. Admin Access to Microsoft Entra ID: You need administrator permissions to configure and manage external identities in Entra ID.

Step 1: Configure the SAML Application in Microsoft Entra ID

  1. Sign in to the Azure Portal: Go to https://portal.azure.com and sign in with your administrator account.
  2. Navigate to Microsoft Entra ID: In the left-hand menu, select Microsoft Entra ID > Enterprise applications.
  3. Create a New Application:
  • Click + New application.
  • Select Create your own application and enter a name for the application (e.g., “External Partner Access”).
  • Choose Integrate any other application you don’t find in the gallery (Non-gallery application), then click Create.
  1. Configure Single Sign-On (SSO):
  • After the application is created, go to the Single sign-on section.
  • Select SAML as the single sign-on method.
  1. Edit Basic SAML Configuration:
  • Configure the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) with values provided by the external partner’s IdP.
  • Identifier: This is usually a URL that uniquely identifies your application.
  • Reply URL: The URL where SAML assertions are sent after authentication (typically your organization’s application).
  • Logout URL: Optionally, set a logout URL to redirect users after they log out.
  1. Download and Share SAML Metadata:
  • Download the Federation Metadata XML file from the Microsoft Entra ID SAML settings.
  • Send this file to the partner organization, who will use it to configure their IdP.

Step 2: Configure the Partner Organization’s Identity Provider (IdP)

  1. Send Your SAML Metadata: Share the downloaded metadata XML file with your partner organization’s IT team. They will configure their IdP to trust your Microsoft Entra ID application based on this metadata.
  2. Configure IdP to Send Claims:
  • The IdP should be configured to send specific claims (information about the user) to your application, such as:
    • NameID: A unique identifier for the user (often the email address).
    • FirstName and LastName: The user’s first and last names.
    • Email: The user’s email address.
  • Map Claims: Ensure the partner organization configures their IdP to map claims to the attributes required by your application.

Note: The exact setup will depend on the partner’s IdP, so it may require coordination with their IT team to ensure compatibility.

Step 3: Set Up User Attributes and Claims in Microsoft Entra ID

  1. Define User Attributes:
  • In the Single sign-on settings of the Entra ID application, scroll down to User Attributes & Claims.
  • Verify the claims sent by the partner’s IdP, such as NameID, Email, FirstName, and LastName.
  1. Add or Edit Claims:
  • Click Add a claim or Edit an existing claim.
  • Specify the Name (e.g., “email”) and Source attribute (e.g., user.mail).
  • Ensure the claims match the requirements of your application for successful authentication and authorization.

Example: The partner’s IdP sends email as the unique identifier. You map it to the NameID in Entra ID to uniquely identify the user during sign-in.

Step 4: Configure Conditional Access Policies for External SAML Partners

  1. Go to Conditional Access: In Microsoft Entra ID, navigate to Security > Conditional Access.
  2. Create a New Policy:
  • Click + New policy and give the policy a name, like “External SAML Partner MFA”.
  1. Configure Assignments:
  • Under Users or workload identities, choose the external SAML users (or select All users if you want it to apply broadly).
  • Under Cloud apps or actions, specify the applications you want to secure (e.g., SharePoint, Teams).
  1. Set Conditions:
  • Configure conditions based on the user’s location, device, or risk level.
  1. Configure Access Controls:
  • Select Grant > Require Multi-Factor Authentication to enforce MFA for external users.
  1. Enable the Policy: Toggle the Enable policy switch to On and save the policy.

Example: This policy enforces MFA for all external SAML users accessing sensitive applications from untrusted locations, adding an extra layer of security.

Step 5: Test the SAML Integration

  1. Initiate a Login from the Partner’s IdP:
  • Have a user from the partner organization attempt to access the application using their own credentials.
  1. Check Authentication Flow:
  • Verify that the user is redirected to their IdP for authentication and that they are returned to the application with a successful SAML assertion.
  1. Verify Claims and Access:
  • Ensure that the correct user claims (e.g., email, first and last name) are passed and that the user gains the expected access.

Practical Usage Examples of External SAML Partner Integration

Example 1: Secure Access to Internal Applications for External Vendors

Scenario: A manufacturing company collaborates with an external logistics provider and needs to grant the provider’s employees access to their internal inventory management system.

  1. Configure SAML Application: The manufacturing company creates a SAML application in Entra ID for the inventory system and configures it to accept SAML assertions from the logistics provider’s IdP.
  2. Conditional Access: The manufacturing company enforces Conditional Access, requiring MFA for any external SAML sign-ins.
  3. Result: Logistics provider employees access the inventory system with their existing credentials and complete MFA when required, enhancing security while enabling seamless access.

Example 2: Grant Access to SharePoint for External Research Partners

Scenario: A research organization works with external universities and needs to share SharePoint files securely with researchers.

  1. Set Up SAML Partner Application: The research organization configures a SAML app in Entra ID to accept authentication from each partner university’s IdP

.

  1. Claims Mapping: They configure the application to accept email, NameID, and department claims, ensuring users are identified accurately.
  2. Access Management: The organization applies permissions in SharePoint, granting access to specific documents or folders.
  3. Result: Researchers from partner universities can log into SharePoint with their university credentials and access shared files, without the need to manage individual accounts.

Example 3: Allow Access for Contractors to Teams with Conditional Access

Scenario: A tech company hires external contractors for a project and wants them to access specific Teams channels.

  1. Configure Teams Access through SAML: The tech company configures a SAML-based federation for the contractors’ organization’s IdP.
  2. Conditional Access: The company requires contractors to verify with MFA if they access Teams from outside the company’s designated secure locations.
  3. Result: Contractors can access project-specific Teams channels with added security policies, ensuring compliance without extra account management.

Benefits of Using Microsoft Entra ID External SAML Partner

  1. Simplified User Access: External users can use their existing credentials to access resources, improving the user experience and minimizing IT overhead.
  2. Enhanced Security: Conditional Access and MFA add layers of security, ensuring external access meets security standards.
  3. Centralized Management: Microsoft Entra ID provides a single platform to manage external access, monitor activity, and enforce policies.
  4. Automated User Lifecycle Management: When a user leaves the partner organization, they lose access automatically, since authentication is controlled by their own IdP.

Using Microsoft Entra ID External SAML Partner, organizations can securely collaborate with external entities, streamlining access for partners while maintaining robust security and centralized management.

Share: XFacebookPinterestLinkedin
Author: tonyhughes