How the Microsoft identity platform uses the SAML protocol - Microsoft identity platform (2024)

Table of Contents
In this article Next steps Feedback
  • Article

The Microsoft identity platform uses the SAML 2.0 and other protocols to enable applications to provide a single sign-on (SSO) experience to their users. The SSO and Single Sign-Out SAML profiles of Microsoft Entra ID explain how SAML assertions, protocols, and bindings are used in the identity provider service.

The SAML protocol requires the identity provider (Microsoft identity platform) and the service provider (the application) to exchange information about themselves.

When an application is registered with Microsoft Entra ID, the app developer registers federation-related information with Microsoft Entra ID. This information includes the Redirect URI and Metadata URI of the application.

The Microsoft identity platform uses the cloud service's Metadata URI to retrieve the signing key and the logout URI. This way the Microsoft identity platform can send the response to the correct URL. In the Microsoft Entra admin center;

  • Open the app in Microsoft Entra ID and select App registrations
  • Under Manage, select Authentication. From there you can update the Logout URL.

Microsoft Entra ID exposes tenant-specific and common (tenant-independent) SSO and single sign-out endpoints. These URLs represent addressable locations, and aren't only identifiers. You can then go to the endpoint to read the metadata.

  • The tenant-specific endpoint is located at https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml. The <TenantDomainName> placeholder represents a registered domain name or TenantID GUID of a Microsoft Entra tenant. For example, the federation metadata of the contoso.com tenant is at: https://login.microsoftonline.com/contoso.com/FederationMetadata/2007-06/FederationMetadata.xml

  • The tenant-independent endpoint is located athttps://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml. In this endpoint address, common appears instead of a tenant domain name or ID.

Next steps

For information about the federation metadata documents that Microsoft Entra ID publishes, see Federation Metadata.

See Also
What is the difference between SSO and SAML? | Gartner Peer Community

Feedback

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.

Submit and view feedback for

How the Microsoft identity platform uses the SAML protocol - Microsoft identity platform (2024)
Top Articles
Reading Milestones (for Parents) - Nemours KidsHealth
Costos directos e indirectos: sus diferencias y cómo clasificarlos
Latest Posts
Estilos de aprendizaje: ¿qué son y qué tipos existen? | UNIR
Listado de gobernantes del Antiguo Egipto. La lista completa de los faraones y reyes egipcios. - SITIOS HISTÓRICOS
Article information

Author: Maia Crooks Jr

Last Updated:

Views: 5814

Rating: 4.2 / 5 (43 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Maia Crooks Jr

Birthday: 1997-09-21

Address: 93119 Joseph Street, Peggyfurt, NC 11582

Phone: +2983088926881

Job: Principal Design Liaison

Hobby: Web surfing, Skiing, role-playing games, Sketching, Polo, Sewing, Genealogy

Introduction: My name is Maia Crooks Jr, I am a homely, joyous, shiny, successful, hilarious, thoughtful, joyous person who loves writing and wants to share my knowledge and understanding with you.