How can we help you today?

Configure single sign-on with Azure AD

Modified on: Thu, 4 Jun, 2020 at 6:59 AM

Applies to: Basic Business Enterprise
⬢ Only Team Admins can utilize the features discussed in this solution.

View full screenshot You can set up SAML 2.0 Authentication with Azure AD by visiting your Azure Portal and add a new Application Registration. While viewing the App registrations page under Azure Active Directory, click on New registration.

When viewing the form to register an application, fill in the below information and then click on Register.

NameAny preferred name for your app.
Supported account typesDepending on your needs, this could be any of the offered choices.
Platform configurationWeb API

Step: Add a platform

View full screenshot Go to Authentication in the left sidebar. Under Platform configurations, click on Add a platform and then choose Web in the right sidebar.

Enter your Team's Assertion Consumer Service URL into the Redirect URIs field. You can find this URL in the right sidebar of your Authentication settings.

Leave all other values untouched and click Configure at the bottom.

Step: Generate an application ID URI

View full screenshot Go back to Overview and click on Add an Application ID URI at the top right. Then click on Set to generate a random ID URI for your application. Keep a copy of it and click Save.

You will enter the Application ID URI as the Issuer and Audience Restriction when configuring single sign-on for your Stack Overflow Team later.

Step: Add a token type

View full screenshot Go to Token configuration and click on Add optional claim. Select the SAML option and check email for the Token type.

Step: Find the federation metadata

View full screenshot Go back to Overview and click on Endpoints. Find the link under Federation metadata document, copy it, and open it in your browser.

Keep this document available as you continue in the process.

Step: Configure authentication settings for your Team

Open the Authentication page under Settings and complete the following fields using the information retrieved from your Azure AD app.

Single Sign-On Service URLEnter the value of SAML-P Sign-On Endpoint from your Endpoints.
Single Sign-On Service Protocol BindingPOST
IssuerEnter the Application ID URI you generated.
Audience RestrictionEnter the Application ID URI you generated.
Display Name Assertionhttp://schemas.microsoft.com/identity/claims/displayname

This value can sometimes change. Check your Federation metadata document and search for Display Name to verify.
Email Address Assertionhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

This value can sometimes change. Check your Federation metadata document and search for Email to verify.
Leave all checkboxes unchecked.
Identity Provider CertificatesCopy and paste the value inside the <X509Certificate> element of your Federation metadata document. There may be multiple certificates, so you can pick one or add all of them.

View a completed example

Automate the renewal of certificates

Once you have set up SSO according to the above instructions, you can set up a Federation Metadata URL to automate the renewal of the Identity Provider Certificates. If you choose not to, the certificate will have to updated by an admin every year, or access to the Team will be interrupted. 


To set this up, click on the Automatically update certificates periodically checkbox, and paste your Federation Metadata URL from Azure, into the field that appears. Click Save, and you're all set.




Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.