Available on Basic and Business

Not available on Free

Admin Privileges Required

To use SAML 2.0 Authentication with Azure AD Premium, go to your Azure Portal and add a new Enterprise Application. You need to click on Azure Active Directory → Enterprise applications → Create your own application. If you cannot find the Azure Active Directory menu, look into More Services and search for Azure Active Directory.

1. Create a new Application

Now enter the name for your app (e.g. Stack Overflow for Teams), select the non-gallery application option, then click create.

Once the application loads, click on the Single sign-on option. Then click on SAML (or, depending on your Azure version, select SAML-based sign-on on the dropdown menu).

2. Configure URLs

Now edit the following URLs under Basic SAML Configuration:

  • Identifier (Entity ID): is something you can make up. Must be unique per application. The URI doesn't need to exist, but it *must* be copy-pasted into your Team auth settings, as the Issuer and the Audience Restriction. *Before moving on make sure the Entity ID checkbox for "Default" is checked.

  • Reply URL: Enter your Team's Assertion Consumer Service URL into the Reply URL field. You can find this URL in your Authentication settings on Stack Overflow.

3. Configure Attributes

On the user Attributes tab, make sure the user email is being included in the SAML response.

4. Configure Attributes

In the SAML Signing Certificate section of your Azure AD application, download the Certificate (Base 64) to save the certificate file on your computer.

5. Set up Users and/or Groups

Do not forget to add users and/or groups to the application, under the Users and groups menu.

6. Set up Authentication settings on Stack Overflow for Teams

We must now set up our Team for using this Azure AD enterprise app. Open the Team Auth Settings page on a separate tab: https://stackoverflow.com/c/yourteam/admin/auth-settings

You'll need to fill the following fields according to what you got on your Azure AD App:

  • Single Sign-On Service Url: that's the Login URL of your Azure AD application.

  • Single Sign-On Service Protocol Binding: do not change, leave as POST

  • Issuer and Audience Restriction: that's the Identifier (Entity ID) URI you chose (see above)

  • Display Name Assertion: for Azure apps, the display name assertion is usually http://schemas.microsoft.com/identity/claims/displayname or http://schemas.microsoft.com/identity/claims/name. If you want to be 100% sure, check your attributes list.

  • Email Address Assertion: for Azure apps, the email assertion is usually http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. If you want to be 100% sure, check your Federation Metadata xml, and search for Email. The correct value will be whatever is described in the Uri attribute.

  • Leave all checkboxes unchecked

  • Identity Provider Certificates: open the certificate file you downloaded from your Azure AD app and copy/paste the contents of that file.

(Optional) Automate the renewal of certificates

Once you have set up SSO according to the above instructions, you can set up a Federation Metadata URL to automate the renewal of the Identity Provider Certificates. If you choose not to, the certificate will have to be updated by an admin every year, or access to the Team will be interrupted.

To set this up, click on the Automatically update certificates periodically checkbox, and paste your Federation Metadata URL from Azure, into the field that appears. Click Save, and you're all set.

Did this answer your question?