To use SAML 2.0 Authentication with Azure AD, go to your Azure Portal and add a new Application Registration. You need to click on Azure Active Directory → App registration → New application registration, as shown below:
On the Create form:
Choose a name for your app
Application type should be set to Web app / API
Sign-on URL must be set to the Assertion Consumer Service URL of your Team, which can be found on https://stackoverflow.com/c/yourteam/admin/auth-settings, on the right sidebar
Now go to Settings → Properties.
Your App ID URI *must* be unique and should be used for both the Issuer and Audience Restriction fields on your Team auth settings page. You can make up that URI. For our example, we used https://stackoverflow.com/c/<team>/appid. After updating your App ID URI, click Save.
Now go back to your App Registrations menu and click on Endpoints.
Download and open the Federation Metadata Document xml by opening the Federation Metadata Document URI on a separate tab.
Figure 6 - Federation Metadata Document snippet, highlighting the display name assertion
We must now setup our Team for using this Azure AD app. Open the Team Auth Settings page on a separate tab: https://stackoverflow.com/c/yourteam/admin/auth-settings
You'll need to fill the following fields according to what you got on your Azure AD App:
Single Sign-On Service Url: that's the SAML-P Sign-On Endpoint seen above on Figure 5
Single Sign-On Service Protocol Binding: do not change, leave as POST
Issuer and Audience Restriction: that's the App ID URI you chose on Settings → Properties (see Figure 3)
Display Name Assertion: for Azure apps, the display name assertion is usually http://schemas.microsoft.com/identity/claims/displayname. If you want to be 100% sure, check your Federation Metadata Document (see Figure 5 for where to find that XML) and search for Display Name. The correct value will be whatever is described in the Uri attribute (see Figure 6 for guidance).
Email Address Assertion: for Azure apps, the email assertion is usually http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. If you want to be 100% sure, check your Federation Metadata xml, and search for Email. The correct value will be whatever is described in the Uri attribute.
Leave all checkboxes unchecked
Identity Provider Certificates: open your Federation Metadata xml and copy/paste the value inside the <X509Certificate> tag. There may be multiple certificates, so you can pick one or add all of them, with a semicolon separator.
This is how you should setup your Team for the settings above: