Azure AD Integration with NAM



This cool solution will provide directions on how to configure NetIQ Access Manager Single Sign-on using Azure Active Directory as your identity provider. To do this configuration you need a Microsoft Azure Active Directory account. Azure Active Directory is Microsoft’s multi-tenant, cloud based directory, and identity management service. Azure Active Directory editions are 3 types, choose premium to try out with a trial version.

Why is this useful?

This allows users to do SSO with Azure Active Directory authentication and seamless access to Enterprise applications or SaaS applications. Users can access Azure Active Directory and access NAM SSO with other applications without additional login. Azure Active Directory allows to create local user to Azure Active Directory. Those users can authenticate to Azure Active Directory and authenticate with NAM to access additional services. NetIQ Access Manager supports Risk Based Authentication and strong authentication using Advanced Authentication Framework can be combined with SAML2 process to secure services.

Goal of this solution

NetIQ Access Manager provides documentation which lists steps on how to configure SAML2 Identity Provider.

Microsoft’s Azure Active Directory documentation provides information on how to configure application and its Single Sign-on settings.

This Solution will guide you with the basic steps to setting up NAM as a Service Provider and Azure Active Directory as an Identity Provider.

This cool solution consists of two main building blocks:

    1. Adding NetIQ Access Manager as Managed SaaS Application


    1. Configuring and testing Azure Active Directory single sign-on

Adding NetIQ Access Manager as Managed SaaS Application

To configure the integration of NetIQ Access Manager into Azure AD, you need to add NAM to your list of managed SaaS apps.

Configuration steps

    1. Gather Azure AD login credentials or sign in for trial


    1. Login to Azure at


    1. Click on “Azure Active Directory” from the left side menu


    1. Click on “Enterprise applications”



    1. Click on “New application” or right click on right pane and select “New Application”



    1. Select “Non-gallery application”



    1. Provide “Name”


    1. Application is created

Configuring and testing Azure AD single sign-on

In this section, you configure and test Azure AD single sign-on with NAM, you need to complete the following building blocks:

    1. Configuring Azure AD Single Sign-On – to enable your users to use this feature


    1. Creating an Azure AD test user – to test Azure AD single sign-on


    1. Configuring NetIQ Access Manager Single Sign-On – to enable single sign-on within NAM


    1. Assigning the Azure AD test user – to enable test user to use Azure AD single sign-on


    1. Testing Single Sign-On – to verify whether the configuration works

Configuring Azure AD Single Sign-On

In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your NAM application

To configure Azure AD single sign-on with NAM, perform these following steps:

    1. In the Azure portal, on the NAM application integration page, click on “Configure single sign-on (required)” or “Single sign-on” on left side menu.



    1. Select “Single Sign-on Mode” as “SAML-based Sign-on”



    1. Enter “identifier” value as NAM entitID “”



    1. Enter “Reply URL” value as NAM assertion consumer URL “”


    1. Select checkbox “View and edit all other user attributes” and view what attributes are sent with assertion.



    1. Download Metadata XML



    1. Click on Configure “NAM-test” for more help on federation information

Creating an Azure AD test user

The Objective of this section is to create a test user in the Azure portal

    1. On the left navigation pane in the Azure Portal, click Azure Active Directory


    1. Click on Users and groups



    1. Click on “All users”



    1. Click on “New User”



    1. On the User dialog page, enter test user information



    1. Click on “Create”

Configuring NetIQ Access Manager Single Sign-On

    1. Open downloaded metadata xml file from previous setups of “Configuring Azure AD Single Sign-On“


    1. Remove / delete RoleDescriptor tags and make sure only EntityDescriptor and IDPSSODescriptor tags exists



    1. Save modified metadata xml file


    1. Login to Access Manager admin console


    1. Edit cluster configuration navigate to SAML2 tab


    1. Click New and select identity provider


    1. Select “Metadata Text” as source from drop down list


    1. Enter name for this IDP


    1. Copy paste the metadata from modified metadata xml file at previous step



    1. Click next and ok


    1. Select just now created Identity provider from the list under SAML2 tab



    1. Navigate to “Authentication Card” and select “Authentication Request”


    1. Modify the “Response protocol binding” to “Post”



    1. Click OK and update IDP Configuration


Assigning the Azure AD test user

    1. In the Azure portal, open applications view, and then navigate to the directory view and go to “Enterprise applications” then click “All applications”



    1. In the applications list, select NAM



    1. In the menu on the left Click on “Users and groups”



    1. Click “Add user”, then select “Users and groups” on “Add Assignment”



    1. Select user from existing list or create a new user going back to left side menu “more services” filter by users



    1. Click “Assign” button on “Add Assignment” dialog.

Testing Single sign-on

    1. Access Access Manager Portal page


    1. Select Authentication card for Azure IDP


    1. On redirect to Azure enter test user credentials


    1. Azure IDP Sends SAML2 Assertion response to NAM and shows federation login page, Enter login user credentials to map to local user, if one don’t want user identification rule has to be created with Azure IDP configuration of NetIQ Access Manager.




Please share your comments!!


How To-Best Practice
Support Tip
Comment List
  • This article is very helpful.  Especially the part about modifying the metadata.

    Is it possible to call a SAML 2.0 identity provider from a risk-based policy in Access Manager 4.5?  If so, please provide details.

    It would be helpful to include info about the certificate in the Azure metadata.  You need to make sure to import it into Access Manager trusted roots if it is self signed.