Powered by

# SAML Domain Federation with Authentik as IDP

# Authentik Preparation

# 1. Create under Customization -> Properties a new LDAP Source Property Mapping with the following details

  • Name: LDAP Mapping: ImmutableId
  • Expression:
import base64
import uuid

return {
  "attributes": {
    "ImmutableID": list_flatten(str(base64.urlsafe_b64encode(uuid.UUID(ldap.get('ObjectGUID')).bytes_le)
).replace("b'", "").replace("'", "").replace("-", "+")),
  }
}

# 2. Create a new SAML Provider Property Mapping with the following details:

  • Name: M365 SAML Mapping: NameID
  • SAML-Attributsname: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • Expression: return user.attributes.get('ImmutableID')

# 3. Create a new SAML Provider Property Mappingwith the following details:

  • Name: M365 SAML Mapping: emailAddress
  • SAML-Attributsname: IDPEmail
  • Expression: return user.email

# 4. Add the LDAP Source Mapping in the ldap config under user properties

# 5. Create a new SAML Provider with the following specific details:

  • ACS URL: https://login.microsoftonline.com/<tenant id>/saml2
  • IssuerUri: https://<your authentik url>
  • Service binding: POST
  • TargetUri: urn:federation:MicrosoftOnline
  • Signing Certificate: <select a avaiable certificate>
  • Sign assertions: True
  • Sign responses: True
  • User Property Mappings: M365 SAML Mapping: emailAddress
  • Name ID Properties: M365 SAML Mapping: NameID

# 6. Create an application for your needs and bind it to the previously created provider

# 7. Go back to your provider and download the signing certificate.

# Federate the Domain in Microsoft 365

  1. Install the Microsoft.Graph PowerShell module (Install-Module Microsoft.Graph -Repository PSGallery -Scope CurrentUser -Force)
  2. Import the module (probably you have to increase your function limit with $MaximumFunctionCount = 16384)
  3. Setup all required variables:
$Domain = "<the domain that should be federated>"
$SignInUrl = "<SSO Url (Post) of your authentik provider>"
$SignOutUrl = "<SLO URL (Redirect) of your authentik provider>"
$Certificate = "<Downloaded certificate from Step 7. with out spaces, line breaks and the ---Ending/Beginning Certificate --- lines>"
$IssuerUri = "https://IssuerUri from step 5.>"
  1. Now connect to EntraID and federate your domain:
Connect-MgGraph -Scope "Directory.Read.All, Domain.Read.All, Domain.ReadWrite.All"

New-MgDomainFederationConfiguration -DomainId $Domain -PassiveSignInUri $SignInUrl -SignOutUri $SignOutUrl -SigningCertificate $Certificate -IssuerUri $IssuerUri -PreferredAuthenticationProtocol saml -FederatedIdpMfaBehavior acceptIfMfaDoneByFederatedIdp -DisplayName $Domain
  1. Now you should be able to login through a user with the federated domain. Hint: new users can only be created through EntraID Sync from an onPrem Active Directory

# Helpfull Commands 

Get-MgDomain                                           #Lists all domains in this tenant
Get-MgDomainFederationConfiguration -DomainId $Domain  #Get the federation config
Update-MgDomainFederationConfiguration                 # Update the federation config

© Copyright . All rights reserved.