Mist AzureAD SAML configuration

Login to your Azure portal and go to Azure Active Directory -> Enterprise Applications -> New Application. Click “Non-Gallery Application”, enter whatever name you wish to use for the Application, e.g. “Mist” then Add. Go to the new application, click “Single Sign-On” and select “SAML”. Copy the “AzureAD Identifier” from section 4.

Click on the pencil icon next to SAML Signing Certificate and set “Signing option” to “Sign SAML response and assertion”

Download “Certificate (Base64)”

Login to and go to Organisation -> Settings. Under Single Sign-On click “Add IDP”. Enter a name such as “AzureAD” and complete the fields as per the below table. For the certificate, open the “Certificate (Base64)” file that you downloaded from your Azure app in a text editor, copy the entire content of the file and paste into the “Certificate” box.

The rest of the fields can be copied and pasted from your Azure app as follows

Custom Logout URLLogout URL
IssuerAzureAD Identifier
CertificateContent of downloaded “Certificate (Base64)”

Next, we need to complete the configuration of Azure. You can do this manually, but it is easier to download your metadata file from Mist and upload it to Azure.

The URL for contains your organisation ID, i.e.{orgid} copy your orgid from this link and go to{orgid}/ssos you’ll see a JSON object returned, one of the elements will be “id”: “{ssoid} copy your ssoid from this link and go to{orgid}/ssos/{ssoid}/metadata.xml which will give you your metadata.xml file. Save this somewhere.

Go to your AzureAD application -> Single Sign On – > SAML -> Upload metadata file and select the metadata.xml you downloaded.

You now have SAML set up between AzureAD and Mist, but you can’t login as you’re not currently passing a “Role” attribute.

Firstly, log into Mist -> Organization -> Settings. Under “Single Sign-on” click Create Role. For “Name” enter a sensible value for each role that you wish to set up.

It probably makes most sense to use AzureAD group memberships for this. There are several ways to do this, but we do it like this.

Go back to your Azure Mist app -> Single Sign-on. Click the pencil button next to “User Attributes & Claims” then “Add a new claim”. Enter the name as “Role”, source as Attribute and then enter “None” in the “Source attribute”, this ensures people that aren’t in the correct groups get a role of “None” which prevents them from logging in.

Expand “Claim conditions” then in the “User type” dropdown select “Members”. Click “Select groups” and select the relevant group. For “Source” select Attribute and for “Value” type in the Mist role name you wish to assign to users that are members of this group. Continue to add groups for your desired roles.

In your Azure Mist app you’ll need to grant access to users at “Users and Groups”. Add the relevant groups to allow access. Users will see Mist in the Office 365 launcher under

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s