Azure AD - Add An Enterprise Application, Configure SAML SSO And Automate User Provisioning

We can use the Azure Active Directory Admin Center to add an enterprise application to your Azure Active Directory (Azure AD) tenant. Azure AD has a gallery that contains thousands of enterprise applications that have been pre-integrated. Many of the applications your organization uses are probably already in the gallery. With just few clicks we can add them to your tenant.

As an administrator this makes our job easier when user enters or leaves an organization, we have a single identity for all the applications our workforce will use and manage them from AAD portal itself.

In this guide, we will see how to add application (DropBox for Business), SAML Single Sign-On integration with the app and automating the user provisioning to the application. We can use other authentication methods such as OAuth, OpenID as well.

Before that let’s understand the basics about SAML quickly!

It is an open standard protocol used for exchanging authentication and authorization between identity provider (IdP) and service provider (SP)

In our case,

IdP = Azure AD

SP = Dropbox

Add an enterprise application

Step 1

Go to AAD portal and click on Azure Active DirectoryàEnterprise Applications à “+ New App”

Step 2

Search for Dropbox and click Create

We can rename the app as well. In the properties we can see automatic provisioning is supported as well as SAML SSO which makes it perfect for our case.

Step 3

Within few seconds the application will appear under All Applications Section.

Step 4

You can assign this to users/groups. Let’s assign one user, the same user whom I will be using as Admin for creating DropBox for Business trial

Step 5

Now we will create a trial in DropBox for whom we assigned the application in Azure AD.

User will receive an email for verification. Click on it to verify.

Step 6

Once verified you will be asked to do some basic settings like Team Name etc, after which you will land on the below page.

Notice that you will find Admin Console where we will find the settings for SSO.

Step 7

You will be redirected to the Admin console. Click SettingsàSingle Sign-on

Step 8

Copy the SSO sign-in URL. Paste this in a notepad, you will need this later in AAD portal.

This will be the landing page once SSO is verified.

Step 9

Now click Overview and select single sign on and select SAML in the next dialog box

Step 10

There will be numbering on the Steps as you can see below. Click edit on Step 1

Step 11

We will fill Sign on URL, Entity ID and Reply URL as they are mandatory fields

Entity ID will be populated automatically. If not, we will fill the below URL.

Scroll down to find Sign on URL and paste the link which we copied from Dropbox Admin Console from Step 8

Click on Reply URL and paste the below URL in the box. Reply URL is the one which the IdP – Azure AD send response via UserBrowser

Step 12

As Step 2 of the set-up, we will mention the anchoring attributes which will be used to identify user and map them. We can limit these attributes and decide which data can be shared with service provider.

Step 13

Download the certificate, XML file provides Metadata that will have details to establish the trust between the two parties and verify the authenticity of the SAML response. Metadata included are SAML Version, Assertion Consumer service URL (Reply URL in AAD), Issuer ID (Entity ID), etc.

We will have to upload this in Dropbox Admin center.

Step 14

These Login URL and Logout URL are used in Dropbox Admin center, and this will be the URL when user tries to log in and log out respectively.

Otherwise, the user will stay signed to even when not using Dropbox and will not be logged out.

Step 15

Now visit the Dropbox Admin Center and upload the downloaded certificate.

Paste the Login and Logout URL in the below box respectively.

Step 16

In this step, select the dropdown and switch the SSO as optional or required. I will choose required.

Step 17

Now let’s visit office.com and sign in as the user for whom we assigned Dropbox. When we click on it, we will be taken to this page.

When we click Continue, we will be taken to the Dropbox page. If you come across any challenges, revisit the important links which were pasted and try with the correctly assigned users or post a comment here for assistance!

Step 18

Now to demonstrate Auto-provisioning we will assign one more user (myself).

From Overview pane on right side, select Provisioning and select Get started

Step 19

In the mode, we will select Automatic and click Authorize to connect the two services via the admin account.

We will be redirected to API request page and click Allow

Note: Be sure to use portal.azure.com to Authorize the connection

Step 20

We will leave the Mappings settings to default. Here you can define the scope of users to assign or all the users and the attributes to identity with.

Step 21

Click on Start Provisioning

Step 22

After it is completed, we will find that from the Dropbox Admin Portal, a new invite has been sent out.

Step 23

Checking in the inbox (in my case, Junk folder) we find the invite link to join the team.

Click on it to sign up and it’s done.

You can view the logs for provisioning from provisioning tab, once it is completed to check for any anomalies.

Reference

• https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal
• https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/dropboxforbusiness-tutorial
• https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial