Microsoft Entra is one of the SAML 2.0 identity providers you can use to authenticate visitors to your Power Pages site. You can use any provider that conforms to the SAML 2.0 specification.
This article describes the following steps:
Set up Microsoft Entra in Power Pages
Create an app registration in Azure
Enter site settings in Power Pages
Note
Changes to your site's authentication settings might take a few minutes to be reflected on the site. To see the changes immediately, restart the site in the admin center.
Set up Microsoft Entra in Power Pages
Set Microsoft Entra as an identity provider for your site.
In your Power Pages site, select Set up > Identity providers.
Select one of the Supported account types that best reflects your organization requirements.
Under Redirect URI, select Web as the platform, and then enter the reply URL of your site.
If you're using your site's default URL, paste the reply URL you copied.
If you're using a custom domain name, enter the custom URL. Be sure to use the same custom URL for the assertion service consumer URL in the settings for the identity provider on your site.
Select Register.
Select Endpoints at the top of the page.
Find the Federation metadata document URL and select the copy icon.
In the left side panel, select Expose an API.
To the right of Application ID URI, select Add.
Enter your site URL as the App ID URI.
Select Save.
In a new browser tab, paste the federation metadata document URL you copied earlier.
Copy the value of the entityID tag in the document.
Enter site settings in Power Pages
Return to the Power Pages Configure identity provider page you left earlier and enter the following values. Optionally, change the additional settings as needed. Select Confirm when you're finished.
Metadata address: Paste the federation metadata document URL you copied.
Authentication type: Paste the entityID value you copied.
Service provider realm: Enter your site's URL.
Assertion service consumer URL: If your site uses a custom domain name, enter the custom URL; otherwise, leave the default value, which should be your site's reply URL. Be sure the value is exactly the same as the redirect URI of the application you created.
Additional settings in Power Pages
The additional settings give you finer control over how users authenticate with your SAML 2.0 identity provider. You don't need to set any of these values. They're entirely optional.
Validate audience: Turn on this setting to validate the audience during token validation.
Valid audiences: Enter a comma-separated list of audience URLs.
Contact mapping with email: This setting determines whether contacts are mapped to a corresponding email address when they sign in.
On: Associates a unique contact record with a matching email address and automatically assigns the external identity provider to the contact after the user successfully signs in.
SAML 2.0 (Security Assertion Markup Language) is an open standard created to provide cross-domain single sign-on (SSO). In other words, it allows a user to authenticate in a system and gain access to another system by providing proof of their authentication.
SAML 2.0 (Security Assertion Markup Language) is an open standard created to provide cross-domain single sign-on (SSO). In other words, it allows a user to authenticate in a system and gain access to another system by providing proof of their authentication.
The identity provider generates the SAML response and returns it to the user's browser. The browser sends the generated SAML response to the service provider's web application which verifies it. If the verification succeeds, the web application grants the user access.
An Identity Provider can initiate an authentication flow. The SAML authentication flow is asynchronous. The Service Provider doesn't know if the Identity Provider will ever complete the entire flow. Because of this, the Service Provider doesn't maintain any state of any authentication requests generated.
Before you can create an IAM SAML identity provider, you need the SAML metadata document that you get from the IdP. This document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP.
However, while they're related, they're not the same. SAML is the standard through which SPs and IdPs communicate with each other to verify credentials. SSO is an authentication process intended to simplify access to multiple applications with a single set of credentials.
The Name Identifier (NameID) is the unique identifier of the user in SAML. The NameID should be non-volatile and opaque, i.e. it should not contain personal information or information that is changeable over time, such as the user's name or email address.
This is what a typical flow might look like: The principal makes a request of the service provider. The service provider then requests authentication from the identity provider. The identity provider sends a SAML assertion to the service provider, and the service provider can then send a response to the principal.
To verify the IdP configuration for admin SSO: Go to Authentication > User Authentication > IdP Configuration. On the IdP Configuration page, expand the IdP configuration you want to test. For the IdP, make sure that the NameID in the SAML assertion is set to the username of a ZPA admin.
An Entity ID is a globally unique name for a SAML entity, i.e., your Identity Provider (IdP) or Service Provider (SP). It is how other services identify your entity.
Microsoft Entra External ID is a customer identity access management (CIAM) solution that lets you create secure, customized sign-in experiences for your customer-facing apps and services.
Microsoft Entra External ID is our next generation CIAM platform that represents an evolutionary step in unifying secure and engaging experiences across all external identities including customers, partners, citizens, and others, within a single, integrated platform.
Get comprehensive identity and access management capabilities including identity protection, privileged identity management, and self-service access management for end users. Azure AD Premium P2 is now Microsoft Entra ID P2.
IDrive® e2 allows you to create your own identity provider and configure it for SSO. Here are the parameters you will need to implement your own IdP: Admin of the IDrive® e2 account can enable their users to access e2 by signing in to a central identity provider.
A SAML identity provider is a system entity that issues authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML).
Okta acts as the SAML IdP and uses SSO and MFA to authenticate the user. Okta returns an assertion to the client applications through the end user's browser.
Introduction: My name is Tyson Zemlak, I am a excited, light, sparkling, super, open, fair, magnificent person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
