Example: SAML Based Authentication with Microsoft Entra ID
  • 10 Jul 2024
  • 4 Minutes to read
  • Dark
  • PDF

Example: SAML Based Authentication with Microsoft Entra ID

  • Dark
  • PDF

Article summary

The following example describes how to enable SAML-based authentication in Axonius with Microsoft Entra ID (formerly Azure AD).

Before doing the configuration: Make a note of the value for IDP you want to use for this configuration. You will need to add it to the URLs in Entra ID.

Do the following in Axonius:

  1. Download the metadata file provided by Axonius in the link: https://<axonius_hostname>/api/login/saml/metadata/
    Remember where you save this file. It will be needed later.

Do the following in Microsoft Entra ID:

  1. Log in to the Entra ID portal, go to Azure Active Directory, and click Enterprise Applications.

  2. Click All applications.

  3. On the top toolbar, click New application to create an application for Axonius.

The Cloud application gallery is displayed.

  1. Click Create your own application.

  2. Enter a name for your application and select the option Integrate with any other application you don’t find in the gallery (Non-gallery) click Create.

  3. After your application is created, go to Users and groups to configure the access policy.

  4. Click Add user.

  5. Search for and select the users and groups who will be authorized to use Axonius. Each user or group selected appears in the Selected list to the right. After you finish, click Select at the bottom of the pane and then Assign.

  6. Under Manage click Single sign-on and then SAML.

  7. Click Upload metadata file and then the file folder SAMLEntraID-BlueFolder.png to the right. Select the metadata file you downloaded from Axonius in the first step above and click Add.

The URLs are populated into the Identifier, Reply URL, and Logout URL fields.

  1. Optionally, show advanced URL settings and set the Sign on URL if you would like to configure identity-provider initiated SSO. If you choose to enable this, the Axonius app will be listed in the applications portal for all the authorized users.
    The Sign on URL is always : https://<axonius_hostname>/api/login/saml


  1. In Attributes and Claims, verify that givenname, surname, and name are listed. If not, click Edit to add them so that Axonius can get the ID, given name and surname of any user that signs in.

  2. Click Save.

  3. Copy the App Federation Metadata Url in SAML Signing Certificate.


    If you need the PEM-encoded signing certificate:

    1. In EntraID, go to SAML Certificates and click Edit.

    2. From the 3-dot menu, select Base64 certificate download.

    3. After downloading the certificate to your local system, upload it to your Axonius instance by going to Settings -> Access Management -> LDAP & SAML and find the relevant SAML Instance.
      SAML settings.png

    4. Click Upload File next to IdP signing certificate (Base64 Encoded), select the certificate file and click Save

Do the following in Axonius:
See SAML-Based Login Settings for a description of these fields.

  1. Log in to Axonius as an administrator, then go to Settings -> Access Management -> LDAP & SAML, and toggle on Allow SAML- based logins.
  2. Enter Entra ID in Name of the identity provider.
  3. In Unique name of IDP, enter a unique name for this SAML configuration. See Unique Name of IDP below.
  4. Paste the metadata URL into Metadata URL.
  5. Under User Assignment Settings:
    • In Default role for new SAML user only user, select a default role. This role is assigned when there is no matching assignment rule.
    • In Default Data Scope for new SAML user only, select the Data Scope to assign to new users. This Data Scope is assigned when there is no matching assignment rule.
    • In Evaluate user assignment on, select to which users the role assignment setting will apply.
      • New users - The selected role is assigned to new users logging in with SAML for the first time.
      • New and existing users - The selected role is assigned to all users when they log in with SAML.
  6. Click Save.

Do the following in Microsoft Entra ID:

  1. In Entra ID, under Manage, click Single sign-on.
  2. in Basic SAML Configuration, click Edit.
  3. In Identifier (Entity ID), append ?idp=XX to the end of the URL where XX is the IDP.
  4. In Reply URL, add the IDP into the URL just before acs. For example, configurl/XX/acs.
  5. Click Save.

The user should now be able to log in to Axonius with AzureAD.

Verify the configuration works both ways - Axonius to AzureAD and AzureAD to Axonius

  1. Log in to Axonius using AzureAD and log out just to confirm it works.
  2. In AzureAD, under Manage, click Properties.
  3. Copy the User access URL and paste it into a new browser tab to confirm it takes you to Axonius.

Unique Name of IDP

When configuring a SAML connection within Axonius you may be asked to provide a "Unique name of IDP" value. This is an arbitrary value that is used to maintain IDP uniqueness in environments that use more than one SAML configuration. If a "Unique name of IDP" value is provided, it must also be appended with a leading ?idp= to the url in the Azure SSO Application configuration under the "Identifier (Entity ID)" field.
In the example screenshots, an IDP value of "12345678" has been configured.


Screenshot 2023-06-08 at 07.01.35.png

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.