Tech Blog

SAML with Azure

Following are instructions for configuring and using Microsoft Azure as an IDP with Alma:
  1. Create Microsoft account, and register to Azure.
  2. In the left hand navigation pane, click on Azure Active Directory.
  3. Click on the App registrations tab, and click Add.
  4. Follow the prompts and create a new web application.
  5. Name it “Alma”, Application Type “Web app / API”. Provide the Alma Sign-On URL (https://###SERVER_DOMAIN###/mng/login, e.g. This represents the service provider issuer (entity ID of Alma). In Azure the field is called “App ID URI”. Changing it afterwards is possible but we noticed that with some browser it’s problematic. If you are not able to save changes, try with IE.
  6. Add the Assertion Consumer Service URL (https://###SERVER_DOMAIN###/mng/pdsHandleLogin) in the “Reply URLs” section.
  7. Azure will generate a metadata document.  Under “App registrations” click on the “Endpoints” link at the top of the App registration page. If you have both Primo and Alma note that the metadata and endpoints are the same for all apps registered with this Azure Active Directory.

Copy the FEDERATION METADATA DOCUMENT URL. You will need it in order to define the Alma SAML integration profile (see below).

Note: unlike other IdPs Azure doesn’t require the certificate from the SP (Alma).

Configuring the SAML integration profile in Alma

  1. Define a SAML integration profile in Alma – see OLH for more details.
  2. In the Alma SAML integration profile, select Metadata upload method: Metadata link. Supply the link to Azure metadata file, as copied in step 6 above:

  1. Press Populate fields. Alma will automatically populate the following fields:
    – IdP issuer
    – IdP login URL
    – IdP single logout service
    – Certificate
  2. Define the following field as a match point for user details:
    – User ID location: User ID in an attribute element
    – User ID attribute name:

Note that if you make changes in Azure configuration, the integration profile in Alma might need to be updated in order to reflect these changes.

4 Replies to “SAML with Azure”

  1. I’ve followed this but my Azure app complains about a not valid SP name qualifier. What’s the next step?

    By Jakob Nylin Nilsson on January 11, 2017 at 1:20 PM

  2. There are 2 options to fix this. Please contact Support if you want the full details. However the first and quickest way is to define the profile as an ‘ADFS’ profile. I suggest trying it, and if it doesn’t work contact Support and we’ll try to longer way.
    Alma Development

    By Ori Miller on January 15, 2017 at 11:03 AM

  3. Can we also use Azure in Primo? I’m not seeing any documentation on that. Or maybe I’m missing something from this blog post.


Leave a Reply