Azure AD

Configure Azure AD (Microsoft Entra ID) as a SAML IdP so users can sign in with their Azure AD accounts.

Sign in to the Azure Portal and navigate to Azure Active Directory > Enterprise applications.

Click New application > Create your own application.

Enter a name (e.g., "Hanzo IAM") and select Integrate any other application you don't find in the gallery (Non-gallery). Click Create.

In your new enterprise application, navigate to Single sign-on and select SAML.

Click Edit on the Basic SAML Configuration section and enter:

:::note

The /api/acs endpoint only accepts POST requests. Azure AD uses POST binding by default for SAML responses.

:::

Click Save.

The default attributes configuration is typically sufficient:

You can customize these mappings if needed. When the username attribute is not explicitly mapped, Hanzo IAM will automatically fall back to using the email address or NameID from the SAML assertion to populate the username field.

Download the Certificate (Base64) from the SAML Certificates section.

Note the following URLs from the Set up Hanzo IAM section:

In the Hanzo IAM admin console, navigate to Providers and click Add.

Select the following:

Click Parse to automatically fill in the fields, then click Save.

Back in Azure AD, navigate to Users and groups in your enterprise application and assign users or groups who should have access to Hanzo IAM.

Edit your Hanzo IAM application and add the Azure AD SAML provider to the Providers list. Click Save.

Navigate to your Hanzo IAM application's login page. You should see an Azure AD login option. Click it to test the SAML authentication flow.

You can also use the Test button in Azure AD's SAML configuration to verify the setup.