Applies to Basic ❌
Applies to Business ✅
(Admin only) To use SAML 2.0 Authentication with Azure AD Premium, go to your Azure Portal and add a new Enterprise Application. You need to click on Azure Active Directory → Enterprise applications → New application. If you cannot find the Azure Active Directory menu, look into More Services and search for Azure Active Directory.
Now select Non-gallery application, enter the name for your app and click Add.
Once the application loads, click on Single sign-on, on the application's left-hand navigation menu. Click on SAML (or, depending on your Azure version, select SAML-based sign-on on the dropdown menu). Now set up the following URLs:
- Identifier (Entity ID): is something you can make up. Must be unique per application. The URI doesn't need to exist, but it *must* be copy-pasted into your Team auth settings, as the Issuer and the Audience Restriction.
- Reply URL: must be set to the Assertion Consumer Service URL of your Team, which can be found on https://stackoverflow.com/c/yourteam/admin/auth-settings, on the right sidebar
On the user Attributes tab, make sure the user email is being included in the SAML response (check the View and edit all other user attributes checkbox, if there is one). You should have an attribute mapped to user.email. We will need the attribute NAME for configuring Teams (the default value is usually emailaddress).
In the SAML Signing Certificate section of your Azure AD application, download the Certificate (Base 64) to save the certificate file on your computer. Finally, do not forget to add users and/or groups to the application, under the Users and groups menu.
We must now setup our Team for using this Azure AD enterprise app. Open the Team Auth Settings page on a separate tab: https://stackoverflow.com/c/yourteam/admin/auth-settings
You'll need to fill the following fields according to what you got on your Azure AD App:
- Single Sign-On Service Url: that's the SAML Single Sign-On Service URL of your Azure AD application. This information can be found by saving your application and going to Configure <appName>
- Single Sign-On Service Protocol Binding: do not change, leave as POST
- Issuer and Audience Restriction: that's the Identifier (Entity ID) URI you chose (see above)
- Display Name Assertion: for Azure apps, the display name assertion is usually http://schemas.microsoft.com/identity/claims/displayname or http://schemas.microsoft.com/identity/claims/name. If you want to be 100% sure, check your attributes list.
- Email Address Assertion: for Azure apps, the email assertion is usually http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. If you want to be 100% sure, check your Federation Metadata xml, and search for Email. The correct value will be whatever is described in the Uri attribute.
- Leave all checkboxes unchecked
- Identity Provider Certificates: open the certificate file you downloaded from your Azure AD app and copy/paste the contents of that file.
Automate the renewal of certificates
Once you have set up SSO according to the above instructions, you can set up a Federation Metadata URL to automate the renewal of the Identity Provider Certificates. If you choose not to, the certificate will have to updated by an admin every year, or access to the Team will be interrupted.
To set this up, click on the Automatically update certificates periodically checkbox, and paste your Federation Metadata URL from Azure, into the field that appears. Click Save, and you're all set.