Programmatically creating the AzureAD SAML SSO application (a non-gallery enterprise app) not getting updated by the Identifier (Entity ID) value

Question

• Using Microsoft Graph APIs I'm able to create an AAD SAML SSO application (a non-gallery application) but I notice Identifier (Entity ID) value is not getting populated in the AAD portal on the Edit popup screen, and interestingly the value is showing outside (under the "Basic SAML Configuration") (screenshot added).
• When I test this SAML configuration with my some Service provider tool, SSO fails and I had to come back to AAD portal and update this Entity ID value manually in the Edit screen, then SSO works. So I kind of notice it's because of the Entity ID is getting updated inconsistently.
• Programmatically my code looks as below, Please help with any inputs if I'm missing something to get this Entity Id value updated consistently. // Create Application
  Application app = new Application();
  app.displayName = "TestName";
  app.identifierUris = Arrays.asList("some uri");
  app.web = new WebApplication();
  app.web.redirectUris = Arrays.asList("https://testredirect.com");
  Application registeredApp = graphServiceClient.applications()
  .buildRequest()
  .post(app); // Create Service principal
  ServicePrincipal sp = new ServicePrincipal();
  sp.appId = registeredApp.appId;
  sp.preferredSingleSignOnMode = "saml";
  sp.tags = Arrays.asList("WindowsAzureActiveDirectoryCustomSingleSignOnApplication", "WindowsAzureActiveDirectoryIntegratedApp");
  ServicePrincipal createdServicePrincipal = graphServiceClient.servicePrincipals()
  .buildRequest()
  .post(sp);

Answer 1

Hi @Ram • Thank you for reaching out.

The recommended way for using Graph API to automate the Registration and SSO configuration of a Non-Gallery application is by using a Gallery application as a template. This allows the creation of the Application and the associated servicePrincipal in a single step. When we do not use the template, the Application and servicePrincipal are created in two different steps, which I am suspecting is causing the above issue. Use the below steps to use a template for this purpose:

• Run the below call and copy the ID.
  GET https://graph.microsoft.com/v1.0/applicationTemplates?$filter=displayName eq 'Any_Gallery_App'
• Run the below call to create your non-gallery app and from the output copy the object ID of the servicePrincipal and the application:
  POST https://graph.microsoft.com/v1.0/applicationTemplates/id_from_previous_step/instantiate
  Body:
  {"displayName": "My_NonGallery_App"}
• Run the below call to enable SAML based authentication:
  PATCH https://graph.microsoft.com/v1.0/servicePrincipals/object_id_of_servicePrincipal
  Body:
  {"preferredSingleSignOnMode": "saml"}
• Run the below call to set Entity ID and Reply URL:
  PATCH https://graph.microsoft.com/v1.0/applications/object_id_of_application
  Body:
  {"web": {"redirectUris": ["https://signin.example.com/saml"]}, "identifierUris": ["https://signin.example.com/saml"]}

Validate the Identifier (Entity ID) of the enterprise app in the Azure Portal, you should no longer encounter the above issue.

Read more: Configure SAML-based single sign-on for your application using the Microsoft Graph API

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.