Integrating Azure AD with Logto

Introduction

Logto provides a out of box SAML connector to integrate with SSO identity providers. Each provider has its own specific information to configure. This guide will walk you through the steps to integrate Azure AD with Logto.

Create an new SAML social connector in Logto

1. Visit your Logto Cloud Console and navigate to the connector section.

2. Switch to the Social connectors tab and click Add Social Connector button on the top right.

   

3. Select the SAML connector.

   

   You will be presented with the SAML connector creation form:

   

4. Fill in the connector general information

   

   Field Name	Description
   Name for social sign-in button	The name of the social sign-in button that will be displayed on the login page.
   Logo URL for social sign-in button	The logo URL of the social sign-in button that will be displayed on the login page.
   Identity provider name	The name of the identity provider. That may help you identify the target provider of the connector.
   Sync profile information	Whether to sync the user profile information from the identity provider only after the initial sign-up or after each sign-in session.

5. Set Entity Id and Assertion Consumer Service URL

   

   Entity ID" and an "ACS URL" are essential components used in the SAML exchange process for identity and service providers.

   SP Entity ID: The Entity ID is a unique identifier that represents a SAML entity within a SAML-based system. It is used to distinguish different participants in the SAML exchange. The SP Entity ID helps both the IdP a to recognize request audience and establish trust.

   ACS URL (Assertion Consumer Service URL): The ACS URL is a specific endpoint provided by the Service Provider (Logto) where the Identity Provider (IdP) sends the SAML assertion after successful authentication. Once a user is authenticated by the IdP, the IdP generates a SAML assertion containing user attributes and digitally signs it. The IdP then sends this assertion to the ACS URL of the SP. The SP validates the assertion, extracts user attributes, and logs the user in.

   Field Name	Description	Example
   SP Entity ID (Audience)	SP Entity used by AzureAD to identify the identity of the Logto. Use your Logto tenant endpoint as the EntityID is recommended	https://<tenant-id>.logto.app
   IdP single sign-on URL	IdP SignIn endpoint. Optional in Azure. This field is used for SP to identify IdP initiated sign-in session. Currently Logto does NOT support IdP initialed sign-in session. Please leave this field blank
   X.509 Certificate	The IdP certificate used to sign the SAML assertion. (We will retrieve this certificate from AzureAD later)
   IdP Metadata in XML format	The IdP metadata XML file content. (We will retrieve this file from AzureAD later)
   Assertion Consumer Service URL	The ACS URL of the SP. SP(Logto) endpoint to receive SAML assertion requests. Replace the tenant-id and connector-id with you own.	https://<tenant-id>.logto.app/api/authn/saml/<connector-id>

Create a SAML SSO application in Azure portal

1. Log in to the Azure Active Directory dashboard. Select “Enterprise Applications”.

   

2. Select “New Application” → “Create your own application”.

   

3. Init a SAML application.

   

4. Fill in the configuration with EntityId and ACS URL you have set in Logto.

   

5. Configure user attributes and claims

   You can configure the user attributes by clicking on the "Edit" button in the "User Attributes & Claims" section.

   

   Logto requires the following basic user attributes to be sent in the SAML assertion:

   Claim Name	Attribute Name
   http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	user.mail
   http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	user.name

6. Assign groups and users to the SAML application In order for users or groups of users to be authenticated, we will need to assign them to the AzureAD SAML application. Select “Users and groups” from the “Manage” section of the navigation menu. The select “Add user/group”.

   

7. Obtain the AzureAD IdP details by downloading certificates and metadata file. Download the Federation Metadata XML file and the Certificate (Base64) file by clicking on the "download" button. You will need these files to complete the SAML connector creation in Logto.

   

Finish the SAML connection creation back in Logto

Switch back to the Logto Cloud Console's SAML connector creation form and continue fill in the IdP details. Copy the IdP metadata XML file content to the IdP metadata field. Paste the IdP certificate to the IdP certificate field.

Set the user profile mapping

Based on the AzureAD user claim settings, you may proceed set the key mapping configs in Logto:

{
  "id": "http://schemas.microsoft.com/identity/claims/objectidentifier",
  "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
  "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
}

Logto available user fields are:

{
  "id": "id",
  "email": "email",
  "phone": "phone",
  "name": "name",
  "avatar": "avatar"
}

Click on “Save and Done”.

Enable the SAML connector

Once you have finished the SAML connector creation, you can enable the connector by navigating to the "Sign-in experience" section and add the connector as the "Social sign-in" method:

Verify your AzureAD SSO sign-in using our preview demo-app:

Congratulations! You have successfully integrated AzureAD SSO with Logto. You can now use AzureAD to sign in to your Logto account.