Single Sign On (SSO) for Your Application Using Azure AD

Azure AD Single Sign On (SSO) for Your Application miniOrange provides a ready to use solution for Your application. This solution ensures that you are ready to roll out secure access to your application using Azure AD within minutes.

Step 1: Configuring miniOrange as Service Provider (SP) in Azure AD

  • Log in to Azure AD Portal
  • Select Azure Active DirectoryEnterprise Applications.
  • azure ad sso-6
  • Click on New Application.

  • azure ad sso-7
  • Click on Non-gallery application section and enter the name for your app and click on Add button.
  • azure ad sso-8
  • Click on Single sign-on from the application's left-hand navigation menu. The next screen presents the options for configuring single sign-on. Click on SAML.
  • azure ad sso-9 azure ad sso-10 azure ad sso-10
  • For Basic SAML configuration you need to get the Entity ID and ACS URL from miniOrange
  • Go to miniOrange Dashboard in the left navigation menu. Click on Try miniOrange as SP
  • For SP -INITIATED SSO section Select Show Metadata Details

  • azure ad Try-miniOrange-as-SP azure ad SPintiatedMetadata
  • Enter the values in basic SAML configuration as shown in below screen
  • Identifier (Entity ID) Entity ID or Issuer
    Reply URL (Assertion Consumer Service URL) ACS URL
    Sign on URL (optional required during IDP-initiated SSO) Show SSO Link from Step 4

  • By default, the following Attributes will be sent in the SAML token. You can view or edit the claims sent in the SAML token to the application under the Attributes tab.

  • azure ad sso-11
  • Downlod Federation Metadata xml. This will be used while configuring the Azure AD as IDP in Step 2.

  • azure ad sso-12
  • Assign users and groups to your SAML application
    • As a security control, Azure AD will not issue a token allowing a user to sign in to the application unless Azure AD has granted access to the user. Users may be granted access directly, or through group membership.
    • Click on Users and groups from the applications left-hand navigation menu. The next screen presents the options for assigning the users/groups to the application.
    • azure ad sso-13
    • After clicking on Add user, Select Users and groups in the Add Assignment screen.
    • The next screen presents the option for selecting user or invite an external user. Select the appropriate user and click on the Select button.
    • azure ad sso-13
    • Here, you can also assign a role to this user under Select Role section. Finally, click on Assign button to assign that user or group to the SAML application.
    • azure ad sso-13

Step 2: Configure Azure AD as Identity Provider (IDP) in miniOrange

  • Go to miniOrange Admin Console.
  • From the left navigation bar select Identity Provider
  • azure ad saml Apps
  • Select SAML. Click on Import IDP metadata.
  • azure ad saml Apps
  • Choose appropriate IDP name. Browse for the file downloaded in step 1.
  • Click on Import.
  • azure ad saml Apps
  • As shown in the below screen the IDP Entity ID, SAML SSO Login URL and x.509 Certificate will be filled from the file imported.
  • azure ad saml Apps
  • Few other optional features that can be added to the Identity Provider(IDP) are listed in the table below:
  • Domain Mapping Can be used to redirect specific domain user to specific IDP
    Show IdP to Users Enable this if you want to show this IDP to all users during Login
    Send Configured Attributes Enabling this would allow you to add attributes to be sent from IDP
  • Click on Save.

Step 3: Test Connection

  • Go to Identity Providers tab.
  • Click on Select>>Test Connection option against the Identity Provider you configured.
  • azureAD-IDP-TestConnection
    azureAD-login
  • On entering valid Azure Ad credentials you will see a pop-up window which as shown in below screen.
  • SucessTestConn-AZureAD-IDP
  • Hence your configuration of Azure AD as IDP in miniOrange is sucesssfully completed.

Step 4: Configure Your application in miniOrange

  • Login to miniOrange Admin Console.
  • Go to Apps >> Manage Apps Click Configure Apps button.
  • azure ad saml Apps
  • Here you add your application according to the the protocol it supports like SAML, OAuth, JWT, Ws-fed etc.

  • For example lets say the application supports SAML. Then click on SAML tab. Search for Custom App.

  • azure ad saml Apps azure ad saml Apps
  • Get the ACS URL and SP Entity ID from your application.

  • Enter the following values OR click on Import SP Metadata:

  • Service Provider Name Choose appropriate name according to your choice
    SP Entity ID or Issuer Your Application Entity ID
    ACS URL X.509 Certificate (optional) Your Application Assertion Consumer Service URL
    NameID Format  Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    Response Signed Unchecked
    Assertion Signed Checked
    Encrypted Assertion Unchecked
    Group policy Default
    Login Method

  • Click on Save to configure Your applcation.
  • Now to get the IDP metadata of the app configured, Go to apps >> your_app >> select >> metadata tab.

  • azure ad saml Apps
  • Click on the Show Metadata details in the Information required to Authenticate via External IDPs section. Download the metadata XML file by clicking on Download Metadata button or copy the Metadata URL link.
  • azure ad saml Apps
  • You need to Upload this metadata in your application.

Setup Multiple IDPs (Optional)

    You also have a choice to set multiple IDPS for Single Application. And there are two ways to represent them :

  • Login using IDP selection page: gives user an option to Select IDP from dropdown list.
  • Domain Mapping: Here we map the email domains to particular IDP. So when the user enters the Email address with specific domain he would be redirected to Respective IDP.
  • Note :At once you can select either of them.

A] Login using IDP selection page

  • You can configure multiple IDPs (identity providers) and give users the option to select the IDP of their choice to authenticate with.
    For Example - It could be multiple AD domains belonging to different departments or multiple okta organizations.
  • Few usecases where customers configure multiple IDPs -

  • Suppose you have a product which many of your clients use and each client has their own unique IDP so you want them to SSO into your product as well using their existing IDP only. miniOrange provides a centralized way to connect with all IDPs in a very easy manner and integrate SSO into your application.
  • Suppose you are providing a course to many universities, each having a unique IDP like Shibboleth, ADFS, CAS, etc. You can provide single sign-on (SSO) into your course application to all these universities by integrating with all of them using a single platform provided by miniOrange.
  • This is the endpoint to call from your saml application -
    For Cloud IDP - https://login.xecurify.com/moas/discovery?customerId=<customer_id>
    For On-Premise IDP - https://yourdomain.com/discovery?customerId=<customer_id>
  • You can see the screenshot below of the IDP Selection Page with a list of IDPs .

    Note: To view the IDP in drop-down list ,go to Identity Providers tab > against your configured IDP > Select >Edit , here Enable the Show IdP to Users option.

    idp selection

  • You can also change the look and feel of this page. Login to miniOrange Admin console. Navigate to Customization -> Branding Configuration. See the below screenshot for reference-
    customize idp selection
  1. You can customize the title of this page.
  2. You can change the logo and favicon for this page.
  3.  You can change the background and button color for this page from admin UI.

B] Login via Domain Mapping

If you have multiple IDPs and you want a certain set of users to authenticate from one IdP whereas another set of users to authenticate from another IdP, based on their email domains then you can achieve this by using the following steps:- Our domain mapping feature

  • We have provided a Domain Mapping field under each IdP where admins can enter the domain eg. demo.com , example.com as shown in the screenshot below.
  • For your reference , Okta and OneLogin are being used as two different IDPs and WordPress is being used as SP. Follow the guides to set up Okta, OneLogin and WordPress at your end.


  • Once the setup is complete you can login through your Wordpress site.
  • Lets Say in OKTA IDP Domain field we enter example.com and in Onelogin IDP Domain field we enter demo.com
  • So a user logging in with the example.com domain will be redirected to Okta IDP.
  • User logging in with email address having demo.com domain will be redirected to OneLogin IDP.
  • Once the user will authenticate itself through respective IDPs, it will be redirected back to Wordpress site.