Applies to Basic

Applies to Business

(Admin only) You can set up SAML 2.0 Authentication with Azure AD by visiting your Azure Portal and add a new Application Registration. While viewing the App registrations page under Azure Active Directory, click on New registration.

When viewing the form to register an application, fill in the below information and then click on Register.

  • Name: Any preferred name for your app.
  • Supported account types: Depending on your needs, this could be any of the offered choices.
  • Platform configuration: Web API

Add a platform

Go to Authentication in the left sidebar. Under Platform configurations, click on Add a platform and then choose Web in the right sidebar.

Enter your Team's Assertion Consumer Service URL into the Redirect URIs field. You can find this URL in the right sidebar of your Authentication settings.

Leave all other values untouched and click Configure at the bottom.

Generate an application ID URI

Go back to Overview and click on Add an Application ID URI at the top right. Then click on Set to generate a random ID URI for your application. Keep a copy of it and click Save.

You will enter the Application ID URI as the Issuer and Audience Restriction when configuring single sign-on for your Stack Overflow Team later.

Add a token type

Go to Token configuration and click on Add optional claim. Select the SAML option and check email for the Token type.

Find the federation metadata

Go back to Overview and click on Endpoints. Find the link under Federation metadata document, copy it, and open it in your browser.

Keep this document available as you continue in the process.

Configure authentication settings for your Team

Open the Authentication page under Settings and complete the following fields using the information retrieved from your Azure AD app.

  • Single Sign-On Service URL: Enter the value of SAML-P Sign-On Endpoint from your Endpoints.
  • Single Sign-On Service Protocol Binding: POST
  • Issuer: Enter the Application ID URI you generated.
  • Audience Restriction: Enter the Application ID URI you generated.
  • Display Name Assertion: http://schemas.microsoft.com/identity/claims/displayname
    This value can sometimes change. Check your Federation metadata document and search for Display Name to verify.
  • Email Address Assertion: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    This value can sometimes change. Check your Federation metadata document and search for Email to verify. Leave all checkboxes unchecked.
  • Identity Provider Certificates: Copy and paste the value inside the <X509Certificate> element of your Federation metadata document. There may be multiple certificates, so you can pick one or add all of them.

Automate the renewal of certificates

Once you have set up SSO according to the above instructions, you can set up a Federation Metadata URL to automate the renewal of the Identity Provider Certificates. If you choose not to, the certificate will have to updated by an admin every year, or access to the Team will be interrupted.

To set this up, click on the Automatically update certificates periodically checkbox, and paste your Federation Metadata URL from Azure, into the field that appears. Click Save, and you're all set.


Did this answer your question?