Configuring AzureAD as RapidIdentity Trusted IDP

You can configure AzureAD as RapidIdentity Trusted IDP. This will allow you to utilize your AzureAD password as an Authentication Method in Authentication Policies.

AzureAD Configuration

1. Login to your Azure portal at https://portal.azure.com

   1. At the top, search for and then click on Azure Active Directory.
      

2. In the left pane, click on Enterprise applications

   1. Click New Application
      

   2. Click Create your own application

      1. App Name: RapidIdentity

      2. Leave the “Integrate any other application you don’t find in the gallery (Non-gallery) checked.

      3. Click Create

3. On the Overview page of your new RapidIdentity Enterprise application, click on Assign users and groups to only apply this configuration to your test user(s).

4. Back on the Overview page, click on 2. Set up single sign on

   1. In Azure, click Upload metadata file and upload the RapidIdentity SP metadata
      

   2. This will populate the Basic SAML Configuration box with the RapidIdentity Entity ID and ACS URL
      

   3. In the User Attributes & Claims, you can leave the defaults.
      

   4. Download the certificate in Base64 format, then copy the Login URL, and the Azure AD Identifier from the places below. You will need to plug these into RapidIdentity in the next steps:
      

RapidIdentity Configuration

1. From RapidIdentity, browse to Configuration > General > Settings

   1. On the CORS page, set https://login.microsoftonline.com as an Allowed Origin

2. Browse to Configuration > Security > Identity Providers > Trusted IDPs and click on Add Trusted Identity Provider.

   1. Plugin the Azure EntityID, Login URL, and Certificate into the boxes below:
      

   2. The value for Signing Certificate can be retrieved by opening the Azure certificate in Notepad or from the Azure Metadata XML. It will be enclosed in <X509Certificate></X509Certificate> tags in the Metadata file.

   3. On the attribute mappings, create mappings for user.givenname, user.surname, user.mail, and user.userprincipalname
      

   4. Click Save

3. Browse to Configuration > Policies > Authentication to create an authentication policy to force your test user to use the Trusted IDP configuration.
   Example below:
   
   

Utilizing AzureAD Login Hints

To pass the user’s email address from RapidIdentity to the Office 365 login page automatically, follow this article Trusted IDP Query Parameter Support

Troubleshooting

You should now be ready to test logging in with your test account. If you receive a page that only hasthe “Start Over” button, that means that either your attribute mappings are incorrect or the Signing Certificate you are using in RI’s Trusted IDP config is incorrect. 

• For attribute mappings, try changing the nameID from user.userprincipalname to user.mail in your Azure Enterprise application configuration. 

• For the Signing Certificate, you can get the correct format for the certificate from the Azure Metadata XML file which is enclosed in the <X509Certificate></X509Certificate> tags.