Step 1: Add a new External Federation for Azure in SPP and Create an Enterprise App in Azure AD
1. From Settings | Identity and Authentication, add a new External Federation. Enter name, description, and the realm (the realm should be the email or UPN suffix that users use to logon to Azure such as yourdomain.com). Click Download Safeguard Federation MetaData and leave the window open without clicking OK.
2. Open the Safeguard Federation file downloaded into a text editor.
Copy the entityID attribute of the
3. Login to Azure as a tenant admin, browse to the AAD admin portal, click on Enterprise Applications and hit the + to add a new application.
5. Scroll down and download the Federation Metadata XML.
6. Assign the required users to Enterprise Application
7. Back to Safeguard, click Browse and select the Federation Metadata downloaded from Azure and then click OK to save.
Step 2: Modify the Attributes & Claims for this Enterprise App in Azure AD
Edit the Attributes & Claims to use only one claim that will be sent to SPP:
In Azure AD > Click on Enterprise Application > Click on the App name > select Single Sign-On
- Click edit next to Attributes & Claims
- Click on the claim listed under Required Claim as Unique User Identifier (Name ID)
- Leave the Name Identifier format set as: Email Address
- Modify the source attribute value to either: user.userprincipalname OR user.mail (based on your preference)
- Remove all other claims listed under "Additional Claims" by clicking on the three dots > Delete for each of these other claims as shown below.
Step 3: Match SPP AD attribute (External Federation Authentication) with the Required Claim configured in the Enterprise App
In SPP > under Identity and Authentication > Edit the Active Directory provider > Attributes:
- Look for External Federation Authentication
This is set to mail by default and needs to match what is configured in the Enterprise Application Required Claim as the Unique User Identifier (Name ID)
So if you set the Required Claim for Unique User Identifier (Name ID) as user.userprincipalname then the External Federation Authentication attribute in SPP must match it and set as: userPrincipalName
Likewise if this Required Claim for Unique User Identifier (Name ID) was set as user.mail then the External Federation Authentication attribute in SPP must be set to match it as: mail