Integrate Microsoft Azure as the SAML IdP

If you want to use Security Assertion Markup Language (SAML) authentication, but do not have your own Active Directory (AD) deployed, you can provision Microsoft® Azure™ as the SAML Identity Provider (IdP).

The Web Security Service supports the automatic synchronization of users and groups through the use of an integration token (described in the following procedure).

Technical Requirements

  • Port 8443 is required for browsers to post SAML assertions to a Web Security Service asset. Verify that this port is open on your gateway firewall devices.
  • This integration requires the Azure AD Premium and Enterprise Mobility Suite products. During the procedure, you are prompted to begin trials if you do not already have them.
  • To prevent browser looping, add the IdP lookup URL(s) to the Authentication Bypass list: :

    See Exempt From Authentication.

Tip: This demonstration uses screenshots from the Azure Portal updated in Oct 2018. Microsoft might change the UI at their discretion.



When you start the initial synchronization, it can take on the average of 15 to 45 minutes before Azure begins to send data to the Web Security Service. Subsequent synchronizations require less time.

In the Web Security Service portal, navigate to the Service mode > Authentication > Users and Groups > Third-Party Sync tab. This page displays all of the users and groups provided by the IdP.


The various policy editors now include the group information as configured in Azure. You can select them and define group-based policies.

Azure Groups blocked

In the above example, the policies to block roleA and roleB block all users who belong to groups that have been assigned as either roleA or roleB in their Azure Web Security Service SAML application.

(Optional) Rebrand Login Page

You can configure Azure to display the credential challenge to employees with the colors and logo of your company. If you do not opt to do so, employees receive the default Microsoft log in page. The follow Microsoft topic provides the procedure.


Optional—Exempt Sources/Destinations from Authorization

SAML and Captive Portal authentication methods use re-directions. Some network environments might not be compatible, which requires you to bypass sources or destinations to ensure client operations. Or you might have other reasons to bypass.

Next Step

Alternate Media

Microsoft created a documentation topic that demonstrates the integration.