In this video, Sharon discusses the SAML 2.0 protocol and how to add and or edit claims that are used by your applications in both the classic and ARM portal.
- [Instructor] The SAML 2.0 Protocol is used by Azure Active Directory to enable applications to provide single sign-on for their users. A SAML protocol exchanges authentication and authorization for single sign-on to applications. And it's a token format that it's for WS-Federation and SAML-P. The token is validated, therefore the user is not prompted for credentials over and over and over again. Let's take a look at how it works in Azure Active Directory.
Our user attempts to connect to the web app. The web app redirects to Azure Active Directory for the sign-in. The user signs in and a SAML token is created. The SAML token is then passed back to the application via the user browser. And then the app verifies a response. The SAML token contains information about that authenticated user. And these bits of information are called claims. And these claims could then be used by the application.
Keep in mind, the default claims are somewhat different between the Azure Resource Manager or ARM portal versus the classic portal. In the Azure Resource Manager portal the default claims include the user given name. The user surname. User email address. And the user principle name. Whereas in the classic portal, you'll notice that we also have the name ID. Or, the name identifier. Let's go ahead and actually flip to the portal and take a look at these in real life.
I'm in the portal. And as you can see, I am in ARM. I happen to be in my Azure Active Directory. And I'm going to go ahead and take a look at the SAML claims for one of our enterprise applications. I'm going to go ahead and click on Enterprise Applications. I'm going to go ahead and click on All Applications. Because I know I want to look at Dropbox. I'm going to go ahead and click on Dropbox for Business. And then I'm going to click on Single sign-on. Because Dropbox does support SAML-based sign-on.
Let's scroll down a little bit. And we're looking for the user attributes. So as you can see, the default user identifier here is the user user principle name. I can go ahead and click View and edit all other attributes to take a look at the other attributes that are being used. Here's a list of our default attributes, or claims. I wanted to go ahead and add an attribute because major applications require something somewhat different, I can go ahead and add that attribute. Maybe I need the city attribute.
And grab the user city. And then click Okay. And now city will be added to that list, as well. I did mention it looks a little different in the classic portal. Let's flip over to the classic portal to show you what it looks like there. I'm in Azure Active Directory. And I'm looking at the Dropbox for Business Application. And this is the same one we just looked at, there's nothing different here. With the exception, if you'll notice, that we have the name identifier. We can go ahead and add a new user attribute here.
Let's do country. I'm going to grab user country. I have now added that. I'm going to have to remember to apply changes here, as well. The last thing I want to show you is, what if we want to edit one of the existing ones? We couldn't do this in ARM but we can do this in the classic portal. So if we wanted to change given name we could easily do that. I'm going to go ahead and close that. I'm not going to save any of the changes here. I'm going to go ahead and discard. Typically, as the administrator of Azure you probably will not make changes to this yourself.
It will be a request that will come from your developers team, to say hey, I need this changed, or edited. I just wanted to make you aware of where you make those changes and the SAML claims themselves.
- Securing with managed identities
- Securing with hybrid identities
- Security with identity providers
- Identifying the right solution
- Designing a role-based Azure security solution
- Managing security risks