Wiki
Powered by

SAML Domain Federation with Authentik as IDP

Authentik Preparation

1. Create under Customization -> Properties a new LDAP Source Property Mapping with the following details

  • Name: LDAP Mapping: ImmutableId
  • Expression:
import base64
import uuid

return {
  "attributes": {
    "ImmutableID": list_flatten(str(base64.urlsafe_b64encode(uuid.UUID(ldap.get('ObjectGUID')).bytes_le)
).replace("b'", "").replace("'", "").replace("-", "+")),
  }
}

2. Create a new SAML Provider Property Mapping with the following details:

  • Name: M365 SAML Mapping: NameID
  • SAML-Attributsname: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • Expression: return user.attributes.get('ImmutableID')

3. Create a new SAML Provider Property Mappingwith the following details:

  • Name: M365 SAML Mapping: emailAddress
  • SAML-Attributsname: IDPEmail
  • Expression: return user.email

4. Add the LDAP Source Mapping in the ldap config under user properties

5. Create a new SAML Provider with the following specific details:

  • ACS URL: https://login.microsoftonline.com/<tenant id>/saml2
  • IssuerUri: https://<your authentik url>
  • Service binding: POST
  • TargetUri: urn:federation:MicrosoftOnline
  • Signing Certificate: <select a avaiable certificate>
  • Sign assertions: True
  • Sign responses: True
  • User Property Mappings: M365 SAML Mapping: emailAddress
  • Name ID Properties: M365 SAML Mapping: NameID

6. Create an application for your needs and bind it to the previously created provider

7. Go back to your provider and download the signing certificate.

Federate the Domain in Microsoft 365

  1. Install the Microsoft.Graph PowerShell module (Install-Module Microsoft.Graph -Repository PSGallery -Scope CurrentUser -Force)
  2. Import the module (probably you have to increase your function limit with $MaximumFunctionCount = 16384)
  3. Setup all required variables:
$Domain = "<the domain that should be federated>"
$SignInUrl = "<SSO Url (Post) of your authentik provider>"
$SignOutUrl = "<SLO URL (Redirect) of your authentik provider>"
$Certificate = "<Downloaded certificate from Step 7. with out spaces, line breaks and the ---Ending/Beginning Certificate --- lines>"
$IssuerUri = "https://IssuerUri from step 5.>"
  1. Now connect to EntraID and federate your domain:
Connect-MgGraph -Scope "Directory.Read.All, Domain.Read.All, Domain.ReadWrite.All"

New-MgDomainFederationConfiguration -DomainId $Domain -PassiveSignInUri $SignInUrl -SignOutUri $SignOutUrl -SigningCertificate $Certificate -IssuerUri $IssuerUri -PreferredAuthenticationProtocol saml -FederatedIdpMfaBehavior acceptIfMfaDoneByFederatedIdp -DisplayName $Domain
  1. Now you should be able to login through a user with the federated domain. Hint: new users can only be created through EntraID Sync from an onPrem Active Directory

Helpfull Commands

Get-MgDomain                                           #Lists all domains in this tenant
Get-MgDomainFederationConfiguration -DomainId $Domain  #Get the federation config
Update-MgDomainFederationConfiguration                 # Update the federation config

© Copyright . All rights reserved.