Configure SAML-based single sign-on using a Graph API

SAML SSO Graph API Single Sign-On
A
Ananya Sharma

Cybersecurity Analyst

 
October 22, 2025 8 min read

TL;DR

This article covers configuring SAML-based Single Sign-On (SSO) using the Microsoft Graph API. It includes steps for registering applications, defining app roles, configuring claims mapping, and managing signing certificates. You'll learn how to automate SAML SSO setup, customize token claims, and ensure secure authentication flows using programmatic methods.

Understanding SAML SSO and the Graph API

Okay, let's dive into saml sso and the graph api, shall we? It's kinda crucial to get this right, or else you're looking at a world of authentication hurt.

So, what's the deal with saml sso? Well, it's basically a way to let users log in once and access multiple applications without, y'know, having to re-enter their credentials each time. Think of it as the golden ticket of enterprise authentication.

  • SAML (Security Assertion Markup Language) is an open standard that allows identity providers (IdPs) to pass authorization credentials to service providers (SPs). It uses XML to exchange authentication and authorization data between them.
  • Companies are using saml for sso because it boosts security and simplifies the login process. Less passwords floating around, less headaches for everyone!
  • While saml handles authentication, it's different from oauth, which is more about authorization and granting limited access to resources. It's easy to get them mixed up, but they do different things.

The graph api is Microsoft's unified api endpoint for accessing data and services across Microsoft 365. It's pretty powerful stuff, if you ask me.

  • The graph api lets you manage users, groups, apps, and more, all from one place.
  • It really simplifies identity and access management by providing a single api to control access to various resources.
  • Automating tasks with the graph api? Big win! It can save a ton of time and effort, especially when you're dealing with a large number of users or applications.

Next up, we'll look at configuring saml sso with the graph api in practice. Time to put this knowledge to use!

Prerequisites for Configuring SAML SSO with Graph API

Alright, before we jump into configuring SAML SSO, gotta make sure our ducks are in a row, right? It's like prepping ingredients before cooking – miss a step, and the whole dish is gonna taste off.

First thing's first: permissions. You'll need the right Azure AD roles, like Cloud Application Administrator, to even get started. Don't forget those delegated permissions; Application.ReadWrite.All is a big one, plus User.ReadWrite.All. And a test user account? Absolutely essential!

Now, let's talk tools. You'll be needing the Microsoft Graph SDK installed. Think of it as your wrench for this project. Also, get an api client configured, like Graph Explorer. Finally, you need to authenticate with the graph api.

Authenticating with the Graph API

This is a critical step. The Graph API uses OAuth 2.0 for authentication and authorization. You'll typically use one of these flows:

  • Client Credentials Flow: This is common for server-to-server interactions where your application acts on its own behalf. You'll use a client ID and a client secret (or certificate) to obtain an access token.
  • Authorization Code Flow: This is used when a user is present and grants permission for your application to access their data. It involves redirecting the user to Azure AD for login and consent.

You need to authenticate to prove your application's identity and get an access token that grants it permission to make requests to the Graph API.

With these prerequisites in place, you're setting yourself up for a much smoother ride. Now, onto the actual configuration steps!

Step-by-Step Guide to Configuring SAML SSO

Alright, let's tweak those SSO settings – it's like fine-tuning a race car before the big event, you know? Get this wrong, and things can get real messy real fast.

First up is configuring the saml urls for the application. These URLs tell Azure AD where to send the SAML assertions. It's gotta know where the front door is, right?

  • Identifier URIs (Entity ID): This value is a unique identifier for your application, often a URL. It tells the Identity Provider (Azure AD) which Service Provider (your application) the SAML assertion is intended for. A common pattern is https://your-app-domain.com/saml/metadata.
  • Redirect URIs (Assertion Consumer Service URLs): These are the URLs on your application's side where Azure AD will send the SAML response (the assertion) after successful authentication. This is where your application receives and processes the authentication information. A typical example might be https://your-app-domain.com/saml/callback.

So, for example, if you're setting up sso for a cloud-based accounting software, you'd put the software's saml endpoint here. Or maybe a healthcare portal, where users need single-click access to medical records – same deal.

Next, you gotta tell the service principal that we're doing SAML. This is done by patching the service principal object and setting the preferredSingleSignOnMode property to "saml". This basically tells Azure AD, "Hey, for this app, we're using SAML, not something else."

This is the command that actually makes the change happen. You can find more details in the Microsoft documentation: Configure SAML-based single sign-on using Microsoft Graph - Microsoft Graph.

Now, let's say you're working with a retail company, and they're integrating their point-of-sale system with Azure ad. You'd use these steps to ensure that employees can log into the pos system with their existing Azure ad credentials.

Up next: tools that helps with the configuration.

Customizing SAML Token Claims

Customizing tokens, eh? Ever wonder what info actually gets passed around during SSO? It's more than just a username, trust me.

  • App Roles: Define what users can do. Think "admin" vs. "read-only" in, say, a CRM or a hospital records system.
  • Claims Mapping: Map Azure AD attributes to app attributes. Like, employeeID in Azure becomes userID in your app.

For instance, if your application needs to know a user's department for access control, you can map the department attribute from Azure AD to a custom claim named userDepartment in your SAML assertion. This is done by configuring claim mappings within Azure AD's enterprise application settings, which can be managed via the Graph API.

Here's a conceptual example of how you might update claim mappings using the Graph API (actual implementation involves specific endpoints and request bodies):

PATCH /servicePrincipals/{id}/tokenIssuancePolicy
{
    "definition": "[ { \"claims\": [ { \"source\": \"user\", \"name\": \"department\", \"emitAs\": \"userDepartment\" } ] } ]",
    "displayName": "Custom Department Claim Mapping"
}

Imagine a finance app needing "employee level" from Azure AD for access control. Easy peasy.

Next, let's validate this setup.

Managing Signing Certificates

Okay, so you've made it this far, huh? Congrats! Now all comes down to certificates. Think of these as the keys to the kingdom, and trust me, you don't want to mess this part up.

You can manage token signing certificates for your application's service principal using the Graph API.

Adding a Token Signing Certificate

You can add a new token signing certificate to your service principal. This involves using the tokenSigningCertificates navigation property.

POST /servicePrincipals/{id}/tokenSigningCertificates
Content-type: application/json


{
  "customKeyIdentifier": null,
  "displayName": "MyNewSamlCert",
  "endDateTime": "2026-12-31T23:59:59Z",
  "startDateTime": "2023-01-01T00:00:00Z",
  "type": "X509Certificate",
  "value": "MIIC+DCCAeCgAwIBAgI..." // Your Base64 encoded certificate value
}

  • displayName: A descriptive name for the certificate.
  • endDateTime: When the certificate expires. I usually go for a few years out, just to be safe.
  • startDateTime: When the certificate becomes valid.
  • value: The Base64 encoded string of your X.509 certificate.

Using Custom Signing Keys

Alternatively, you can upload your own custom signing certificate. Maybe you've got some internal security policies you gotta follow, or maybe you just like doing things the hard way.

  1. Create a self-signed cert: Use PowerShell or C# to generate a certificate.
  2. Extract details: You'll need the certificate's Base64 encoded value and its customKeyIdentifier (often the thumbprint).
  3. Update the service principal: Use the keyCredentials property to add your custom signing key.
PATCH /servicePrincipals/{id}
Content-type: application/json


{
  "keyCredentials": [
    {
      "customKeyIdentifier": "YOUR_CERTIFICATE_THUMBPRINT_IN_BASE64",
      "displayName": "MyCustomSigningKey",
      "endDateTime": "2026-12-31T23:59:59Z",
      "startDateTime": "2023-01-01T00:00:00Z",
      "type": "X509Certificate",
      "usage": "Sign",
      "key": "YOUR_BASE64_ENCODED_CERTIFICATE_VALUE"
    }
  ]
}

  • customKeyIdentifier: The thumbprint of your certificate, Base64 encoded.
  • key: The Base64 encoded string of your X.509 certificate.
  • usage: Should be "Sign" for token signing.

Without valid certificates, your whole saml sso setup falls apart. It's like building a house on a shaky foundation; looks good at first, but it won't last.

  • Certificates ensure that the saml assertions are trusted by the service provider.
  • They prevent man-in-the-middle attacks, and provide integrity for your authentication process.

And remember, always follow security best practices when handling certificates. Don't store them in plain text, use strong passwords, and rotate them regularly. You can find more details in the Microsoft documentation: Configure SAML-based single sign-on using Microsoft Graph - Microsoft Graph.

Validating Your SAML SSO Setup

So, you've done all the configuration, but how do you know it actually works? Time to test!

  • Initiate SSO from the Service Provider: Try to access a protected resource in your application. You should be redirected to your Identity Provider (Azure AD) for login.
  • Initiate SSO from the Identity Provider: Go to your Azure AD My Apps portal (or equivalent) and click on your application. You should be logged in directly without needing to re-enter credentials.
  • Check SAML Traces: Use browser extensions like SAML-tracer or SAML Chrome Panel to inspect the SAML requests and responses. This is super helpful for debugging. Look for successful authentication status and correct claims being passed.
  • Verify Claims: Ensure that the claims (like user ID, roles, etc.) being sent in the SAML assertion are what your application expects and are being processed correctly.
  • Test with Different Users: Try logging in with different user accounts, including those with different roles or permissions, to ensure access control is working as intended.

Time to go validate your SSO setup, good luck, you'll need it.

A
Ananya Sharma

Cybersecurity Analyst

 

Ananya is a cybersecurity researcher with a keen focus on identity management, SSO protocols, and cloud-native security. Based in Bengaluru, she bridges the gap between security strategy and implementation.

Related Articles

Configuring SAML Toolkit for Single Sign-On Solutions
SAML toolkit

Configuring SAML Toolkit for Single Sign-On Solutions

Learn how to configure a SAML toolkit for seamless single sign-on (SSO). This guide covers setup, integration, security best practices, and troubleshooting tips.

By Daniel Wright November 13, 2025 11 min read
Read full article
SAML SSO Deployment Guide
SAML SSO

SAML SSO Deployment Guide

Comprehensive guide to SAML SSO deployment: configuration, integration, security, testing, and troubleshooting. Ensure a smooth and secure single sign-on implementation.

By Daniel Wright November 13, 2025 13 min read
Read full article
Utilizing the SAML2 Toolkit for Implementation
SAML2 toolkit

Utilizing the SAML2 Toolkit for Implementation

Learn how to effectively use the SAML2 toolkit for seamless SSO implementation. This guide covers configuration, security, testing, and integration best practices.

By Ananya Sharma November 12, 2025 16 min read
Read full article
SAML Web Application Toolkit: Enabling Single Sign-On
SAML

SAML Web Application Toolkit: Enabling Single Sign-On

Learn how to use a SAML web application toolkit to enable single sign-on (SSO) for your applications. Improve security and user experience with our comprehensive guide.

By Daniel Wright November 10, 2025 12 min read
Read full article