The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Azure AD IdP initiated SSO RRS feed

  • Question

  • I want to use Azure AD for signing in to the Opsgenie application. As far as I found, there are two ways of configuring Opsgenie application on the Azure AD. One of them is from the Application Gallery and the other one is from the application registration menu. I have tried both of them but couldn't successfully sign in to the Opsgenie application from the Access Panel. I am able to successfully log in to the application from the Opsgenie side, so the configuration seems to be correct.

    However, when I try to access to the application from Azure, I am not able sign in to the application. Opsgenie shows an error message like "No SAML response was provided". Then I checked the HTTP request sent from Azure to Opsgenie, and I couldn't see any SAML data in the request. I wonder why I am not able to use IdP initiated SSO with Opsgenie and Azure.

    I have a few questions about this issue.

    - In the Opsgenie configuration tutorial from Azure AD, it is written that Opsgenie supports SP initiated SSO. However, I have seen other apps whose Azure configuration docs say "Both SP and IdP initiated SSO is supported". May I ask why Azure does not support IdP initiated SSO for Opsgenie? I ask this here because it is only written in Azure docs. There is no such information about this on the Opsgenie documentations.
    https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/opsgenie-tutorial

    - This document says that I need a "Subscription or Azure AD Premium" to use SAML SSO. Does this mean I need an Azure AD premium account to use IdP initiated SSO. Might this be the reason why I am not able to sign in from Access Panel?
    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications

    - I saw that legacy app registration menu support will end this month and new one does not support URLs that include query parameters. Thus I have configured my application by using the legacy app registration menu. My question is, will an application continue to work after the legacy support ends, if it is configured with a URL including query parameters. This question is related to already configured applications. I know that new applications will not be configured using URLs with query params.

    Thanks!

    Wednesday, October 16, 2019 7:55 AM

All replies

  • pysejaci, An IDP by defaults provides two ways to authentication i.e IDP initiated Sign-On and SP Initiated Sign-On. But it all depends on the  application, that which type it prefers or supports and which method the users for this application to get themselves authenticated.

    In Azure AD, we have incorporated with few hundred applications that are widely used across the globe. With this we mean, these applications are already added to the Azure AD, and the user can just pick the respective app and register it within their Tenant and start using it after make the necessary configurations on both the sides (Azure AD and on the Apps Side). You are not able to access the application from the Access Panel is just because this application doesn't support IDP-Initiated SignOn.

    Now coming to the error that you mentioned "No SAML response was provided", this is because, Azure never shared any SAML response to the application (Ops Genie), since OPs Genie may not have sent a SAML request to the IDP (i.e Azure AD). This is what I can assume looking at the error.

    Probable causes may be that the user never tried signing in using the SP initiated signon method, which is something that is expected to be used in case of this application as documented. It would be hard to state why you cant use IDP initiated signon for this application with Azure AD, but while looking through the OPs Genie documentation, I stumbled upon this article "https://docs.opsgenie.com/docs/single-sign-on-with-opsgenie". 

    Here I found this:

    Provisioning new users automatically

    If you have "Provision new users on the first login automatically." setting as enabled, Opsgenie will create and add your users to your account automatically, on their first login via SSO. The first login in this case must be initiated in the Identity provider.

    Note: Provisioning is not available for Azure Active Directory.

    This might be the answer, but I am not sure completely.

    Coming to your second query regarding the Azure AD Premium licence requirement, to use the SAML SSO features in an registered application in AAD, the Azure AD P1 license is needed. You just need to buy a Azure AD P1 license and use it, but this has got no relevance with IDP-Initiated SignOn or SP-Initiated SignOn.

    Regarding the last query about the legacy app registration support already configured applications with query parameters, honestly do not have an answer to this as of now. But I can look into this and can update you with more details soon.

    I hope rest of the details shared in this response helps you. In case you have any more queries, apart from the last point, do let me know so that we can help you better with the answer to those queries.

     

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!




    Wednesday, October 16, 2019 9:07 AM
    Moderator
  • >Now coming to the error that you mentioned "No SAML response was provided", this is because, Azure never shared any SAML response to the application (Ops Genie), since OPs Genie may not have sent a SAML request to the IDP (i.e Azure AD). This is what I can assume looking at the error.

    Do you have any information about other applications provided by Azure? Do they send a SAML request to Azure AD to get a SAML response? This doesn't seem logical to me since the action is called IdP initiated SSO. Thus, it does not make sense to expect Opsgenie to send a SAML request for the login attempts initiated from Access Panel. I would expect Azure AD to send a SAML response without a request from Opsgenie when the application is clicked from Access Panel by the user, as far as I know this is how other IDPs work. We are %100 sure that we already integrated with Centrify and OneLogin without sending a SAML request first with their IdP initiated SSO.

    For IDP initiated SSO, can you please make sure and inform if Azure AD expects a SAML request from Opsgenie or not? We need further detail to take actions.

    >Coming to your second query regarding the Azure AD Premium licence requirement, to use the SAML SSO features in an registered application in AAD, the Azure AD P1 license is needed. You just need to buy a Azure AD P1 license and use it, but this has got no relevance with IDP-Initiated SignOn or SP-Initiated SignOn.

    My previous Azure AD experience has a conflict with what you stated. I was using SAML SSO features (SP initiated) with a Free account. So SAML SSO features doesn't seem to require an Azure AD P1 license. Can you please check if this is for all SAML SSO features or only for IdP initiated SSO?

    >Regarding the last query about the legacy app registration support already configured applications with query parameters, honestly do not have an answer to this as of now. But I can look into this and can update you with more details soon.

    Thanks for the information you provided. This has very high priority on our side so I will be waiting for your update.

    Thanks!

     

    Wednesday, October 16, 2019 1:00 PM
  • pysejaci, There are a lot of applications that do send SAML request to the IDP (in this case Azure AD) to get a SAML response. One of them being SalesForce application.

    You can also check the following URL, which speaks about another Gallery Application's configuration with AAD, where that App supports IDP-Initiated Signon and that configuration steps are mentioned in this article.

    https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/samlssoconfluence-tutorial

    Now, we can dig more as to why IDP initiated-SignOn is not work for OpsGenie, by looking into the http calls that we can collect by running the Fiddler tool.

    Having said that, a IDP-Initiated flow poses certain security risk due to which is it not recommended by IDPs. By default most of the apps support only SP initiated Signon except few apps that only supports IDP-Initiated SignOn. 

    You can also check the following URL where the discussion about SP-Initiated SignOn had happened: https://social.msdn.microsoft.com/Forums/en-US/d167c461-1f6f-45df-9197-5d77bb3c9254/does-azure-support-idp-initaited-sso-solution?forum=WindowsAzureAD

    Regarding the Azure AD P1 license requirement, we recommend you using a Azure P1 license, because with P1 license you get the power to use the SSO feature for unlimited applications, where as if you are using a Free license or a Basic license (like Office 365 Apps license), it would only allow you to use SSO for 10 Apps. Again, this has nothing to do with IDP-initiated Sign-On or SP Initiated SignOn., as these are 

    You can fine more details about the licenses here: https://azure.microsoft.com/en-in/pricing/details/active-directory/

    Regarding the last query regarding the legacy app registration support already configured applications with query parameters, I just got a confirmation that there are no plans to deprecate those.

    Do let me know if I missed on answering any of the queries. Please do point those out so that I can help you with answers to those. Also in case there are more queries around this, please feel free to share those as well so that we can help you further.

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Thursday, October 17, 2019 2:12 PM
    Moderator
  • Thank you for your detailed response, this was very helpful for us. I have some further questions regarding the IdP initiated SSO workflow. Are there any applications in the Azure App Gallery that does not send a SAML request but gets a SAML response directly when the login action is initiated from the IdP side, i.e Access Panel? In other words, is sending the SAML request the only way to get a SAML response from Azure AD? This was also asked in the forum post you shared but I could not see a response for that question. Receiving the response without a request would be our first preference since other IdPs work in that way.


    IIf there is absolutely no way to receive a SAML response without sending a request first, can you also provide some information about the workflow of this proces? Any pointer documents will help a lot to initiate the process on our side. I would like to learn how Azure AD triggers the request that will be sent by the Service Provider and what kind of SAML request is expected from the Service Prover before sending the SAML response in the case of IdP initiated SSO.

    This issue is very vital for us as Opsgenie since I am currently trying to initialize IdP based integration for Opsgenie app.

    Thanks!

    Friday, October 18, 2019 9:46 AM
  • Hi, 

    Yes, the following application "https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/samlssoconfluence-tutorial" supports both IDP and SP initiated signons. Hence it depends which type of signon the user is trying to access this app. If IDP, you will see a SAML response without a SAML request.

    Receiving a SAML response without a SAML request itself defines the IDP initiated Signon. If the App supports IDP, yes you can get a SAML response without a SAML request, if the user goes the IDP-Initiated SignOn route to access the App. In case of IDP initiated SignOn, there is a SAML assertion that gets generated by the IDP, which is later consumed by the Application.


    Regarding the documentation, this is the official documentation from OASIS [Organization for the Advancement of Structured Information Standards] which defines the SAML IDP and SP initiated Signon Processes:

    IDP Initiated SignOn:

    https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf#page=34&zoom=100,0,96

    SP-Initiated SignOn:

    https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf#page=27&zoom=100,0,921

    Hope this helps.

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Monday, October 21, 2019 5:08 PM
    Moderator
  • Hi pysejaci,

    I wanted to follow up with you to check if the above response helped you in answering your queries. If it did, please mark the response as "Answer", so that it helps others too.

    If any more queries around this query, please feel free to update me with those so that we can help you further.

    Wednesday, October 23, 2019 4:58 AM
    Moderator
  • Hi,

    Thanks again for your detailed responses. Your responses and documents you provided helped us to understand the general SSO workflow in Azure. We have some further questions but these questions will be specific to enabling IDP initiated SSO for Opsgenie. 

    >In Azure AD, we have incorporated with few hundred applications that are widely used across the globe. With this we mean, these applications are already added to the Azure AD, and the user can just pick the respective app and register it within their Tenant and start using it after make the necessary configurations on both the sides (Azure AD and on the Apps Side). You are not able to access the application from the Access Panel is just because this application doesn't support IDP-Initiated SignOn.

    You mentioned that Opsgenie application does not support IDP initiated SSO. So, what are the step that should be taken in order to support IDP initiated SSO for Opsgenie application on the Azure AD side? We have confirmed that Opsgenie supports IDP initiated SSO and it works well with other IDPs such as Okta.

    Wednesday, October 23, 2019 7:16 AM
  • pysejaci, I apologize for the delay in my response on this thread. Do allow me sometime to check on this and will get back to you with some answers shortly.
    Friday, November 22, 2019 6:16 AM
    Moderator