- Configure your IdP to load the Azure metadata. Further information on loading metadata can be found here.
- Configure your IdP to respond to ECP profile requests. More information can be found here.
Add relying party specific configuration. Azure requires that encryption be turned off and that only assertions be signed. It will also be necessary to set a name identifier precedence so that the ECP endpoint responds with a format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent". The following bean definition can be used verbatim in your configuration.
Configure the necessary attribute definitions and filter policy. Only one SAML attribute, entitled "IDPEmail," should be sent. Another attribute definition is typically required in order to send the Azure ImmutableID in the SAML Subject. The ImmutableID attribute is site dependent, but most frequently maps to the "objectGuid" in Active Directory. The following configuration examples are for reference only and must be modified as appropriate to your environment.
- Since Azure requires use of a proprietary identifier in conjunction with the standard NameID format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent," you will need to create activation conditions to send that value to Azure only. The following configuration example is for reference purposes and must be modified as appropriate to your environment.