- Initial Preparation
- Create an Application in Microsoft Entra
- Configure SSO for the Application in Entra
- Import the Entra Application Data in AppCheck
- Select Authentication Contexts
- Test and Enable SSO in AppCheck
- Optional: Enable SAML Assertion Encryption in Entra
Initial Preparation
- Raise a ticket with AppCheck Support to have the SSO feature enabled for your account.
- Wait for the ticket to be completed.
- Open two tabs/windows (in addition to this guide):
- Your Organisation settings page in the AppCheck scanner portal
- Select the SSO Settings tab in the left-hand menu.
- The Microsoft Entra ID service page in your Azure portal.
- You can use search with the Azure portal to find this if is not in your service list on the left-hand side.
- Your Organisation settings page in the AppCheck scanner portal
- Download the appcheck_saml_metadata.xml Metadata XML file by clicking Download XML metadata in the SAML Service Provider Details section on the AppCheck SSO settings page:
- Download the appcheck_saml_certificate.cer X.509 certificate file by clicking Download certificate:
Create an Application in Microsoft Entra
- In the Microsoft Entra ID service page, navigate to Enterprise Applications in the left-hand panel:
- Click New application
- Click Create your own application
- Enter a name for the application, eg "AppCheck"
- Select Non-gallery app:
- Click Create.
- Follow the Assign Users and Groups link under Getting Started link to assign users. The users you assign here will be able to sign into AppCheck with SSO.
You can use the Users and Groups button in the left-hand menu to update the assigned user list later.
Configure SSO for the Application in Entra
- Navigate to Single sign-on in the left-hand panel:
- Select SAML as the sign-on method
- Select Upload metadata file:
- Upload the appcheck_saml_metadata.xml file you downloaded from AppCheck
- Check that the Identifier and various URLs match what is show in your Appcheck SSO settings:
- Save the SAML Configuration and close the Basic SAML Configuration overlay.
- Download the Federation Metadata XML from Azure:
The file name will be based on the name you gave your enw application in Entra. - Under SAML Certificates, click Edit next to Token signing certificate
- Change Signing Option to Sign SAML response and assertion
- Click Save and close the overlay
- Click Edit next to Verification certificates
- Enable Require verification certificates
- Click Upload certificate
- Upload the appcheck_saml_certificate.cer X.509 certificate file you downloaded from AppCheck
- Click Save and close the overlay
Import the Entra Application Data in AppCheck
- In your AppCheck SSO Settings tab, upload the Federation Metadata XML file you just downloaded by clicking on Upload XML Metadata in the Identity Provider Settings section:
- After the XML file has been uploaded, check that the Entity ID and SSO URLs match what is shown in your Azure settings:
Select Authentication Contexts
- In your AppCheck SSO Settings tab, populate the field Authentication Contexts. When using Microsoft Entra it is recommended to leave this field empty (or the delete the values if the default values ar still present), which allows users to log in using any of the authentication methods provided by Entra.
Test and Enable SSO in AppCheck
- In your AppCheck SSO Settings tab click Test SAML Config
- Wait for the test to succeed
- Tick Enable SAML authentiation
- Click Update
Users whose email addresses match an assigned user in the Entra application can now sign in to AppCheck without being asked for their AppCheck password. If they are not already logged in to a Microsoft account in that browser session they will be redirected to Microsoft to log in.
Optional: Enable SAML Assertion Encryption in Entra
Only available to Microsoft Entra ID P1/P2 customers
- In Azure, navigate to Token encryption in the left-hand panel
- Click Import Certificate and import the appcheck_saml_certificate.cer X.509 certificate file you downloaded from Appcheck in the previous steps
- Click the three dots (...) on the encryption key row, and select Activate token:
Comments
0 comments
Article is closed for comments.