Programmatically Configure SAML-related Single Sign-On configurations

Question

We integrate a lot of apps with SAML SSO (4-5 a week, probably more). Some need custom SAML claims configured and others need the Relay state configured.

Sometimes we configure Sign-On URLs, sometimes we don't.

Needless to say it's becoming an operational headache. We would like to provide a self-service application that could guide our teams into how they can configure their application with SAML SSO, but we are not sure if it's possible to configure the settings mentioned above programmatically.

Essentially what we want is to collect all the information from the user that is needed, run it through a validation engine which runs through few of our checks, and programmatically create the service principle with the proper configurations, SAML claims and all.

Is this something that's possible given the current state of the Graph API? If not, what does the roadmap look like to close that gap?

Answer 1

Microsoft is working along with other major players on the specifications of a new standard that should make the process much easier. It's called FastFed and the current RFC is here: https://openid.net/specs/fastfed-1_0.html

Until that gets released and implemented though, there's not much you can do.

Answer 2

Hey Miguel,

I am absolutely on your side; we share the same pain. This is a required functionality and it should not be a problem to expose anything in the UI via API.

This was my #1 issue for quite some time and I raised this point more than once when talking to the AAD product group. I do not want to disclose details, but I talked to responsible PM (Say hi to Debbie) and I am quite confident :-)

There is at least one totally unsupported way of doing that. It absolutely works, but I would never recommend it to anyone. Desperate times sometimes require desperate measures.
If you absolutely need to know, DM me on twitter (@MrAzureAD ) for more details (including again a big fat warning).

Stay tight,
MrAzureAD