Available on Basic and Business

Not available on Free

Admin Privileges Required

You can set up SAML 2.0 Authentication with Azure AD App Registration by visiting your Azure Portal to add a new Application Registration.

1. Register New Application

While viewing the App registrations page under Azure Active Directory, click on New registration.

When viewing the form to register an application, fill in the below information and then click on Register.

  • Name: Any preferred name for your app.

  • Supported account types: Depending on your needs, this could be any of the offered choices.

  • Redirect URI: (Optional) Web and the URL should be the Assertion consumer service URL found on the Stack Overflow Admin page for Authentication

2. Add a Platform

Go to Authentication in the left sidebar. Under Platform configurations, click on Add a platform and then choose Web in the right sidebar.

Enter your Team's Assertion Consumer Service URL into the Redirect URIs field. You can find this URL in your Authentication settings on Stack Overflow.

Leave all other values untouched and click Configure at the bottom.

3. Generate an Application ID URI

Go back to Overview and click on Add an Application ID URI at the top right. Then click on Set to generate a random ID URI for your application. Keep a copy of it and click Save.

You will enter the Application ID URI as the Issuer and Audience Restriction when configuring the single sign-on for your Stack Overflow Team later.

4. Add a Token Type

Go to Token configuration and click on Add optional claim. Select the SAML option and check the value best suited for your organization for the Token type.

*It is recommended to use a field that uses a static value such as NameID.

5. Find the Federation Metadata

Go back to Overview and click on Endpoints. Find the link under Federation metadata document, copy the URL, and open it in your browser.

Keep this document available as you continue in the process.

6. Configure Authentication Settings for your Stack Overflow Team

Open the Authentication page on your Stack Overflow Team under Settings and complete the following fields using the information retrieved from your Azure AD app.

  • Single Sign-On Service URL: Enter the value of SAML-P Sign-On Endpoint from your Endpoints on Azure.

  • Single Sign-On Service Protocol Binding: POST

  • Issuer: Enter the Application ID URI you generated.

  • Audience Restriction: Enter the Application ID URI you generated.

  • Display Name Assertion: http://schemas.microsoft.com/identity/claims/displayname
    This value can sometimes change. Check your Federation metadata document and search for Display Name to verify.

  • Email Address Assertion: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    This value can sometimes change. Check your Federation metadata document and search for Email to verify. Leave all checkboxes unchecked.

  • Identity Provider Certificates: Copy and paste the value inside the element of your Federation metadata document. There may be multiple certificates, so you can pick one or add all of them.

(Optional) Automate the Renewal of Certificates

Once you have set up SSO according to the above instructions, you can set up a Federation Metadata URL to automate the renewal of the Identity Provider Certificates. If you choose not to, the certificate will have to updated by an admin every year, or access to the Team will be interrupted.

To set this up, click on the Automatically update certificates periodically checkbox, and paste your Federation Metadata URL from Azure, into the field that appears. Click Save, and you're all set.

7.Autenticate and Enable SSO

Once you have all the previous settings in place you make select the Authenticate and enable SSO button at the bottom of the page.

Did this answer your question?