Connect your Djangoapp with AzureAD SSO

Tue 09 March 2021

Get your Djangoapp to work with AzureAD single-signon.


This writeup is based on other peoples work, so I assume that your app is Sal/Crypt and that you have the app itself working in the SAML powered docker container.

This post is based on the information found here:

Application setup

The application is setup by using the dockercontainer which give the required libraries for SAML.

docker pull macadmins/sal-saml

You also need to be able to mount your mount a custom config and metadata.xml file inside your container.

Here is the script that I use to start my container:

#!/usr/bin/env bash

/usr/bin/docker rm  01-sal >/dev/null 2>&1

/usr/bin/docker create \
--net bridge \
-m 0b \
-e "DOCKER_SAL_TZ=Europe/Oslo" \
-e "" \
-e "VIRTUAL_PORT=8081" \
--env-file /usr/local/docker/sal.env \
-p 8081:8000 \
-v /local/docker/data/sal_data/plugins:/home/docker/sal/plugins \
-v /local/docker/conf/macadmins_setup.conf:/home/docker/sal/sal/ \
-v /local/docker/conf/macadmins_metadata.xml:/home/docker/sal/sal/metadata.xml \
--restart=unless-stopped \
--name 01-sal \

/usr/bin/docker start -a 01-sal

exit $?

Django config

I used this file as a starter:

And then replace following parts as needed:


- entityid Ex:
- assertion_consumer_service Ex:
- single_logout_service Ex:
- required_attributes - These should match the values from SAML_ATTRIBUTE_MAPPING

SAML_ATTRIBUTE_MAPPING and a few other quirks:


    'uid': ('username', ),
    'mail': ('email', ),
    'givenName': ('first_name', ),
    'sn': ('last_name', ),


'idp': {
    '[tenantId]': {
        'single_sign_on_service': {
            saml2.BINDING_HTTP_REDIRECT: '[tenantId]/saml2',
        'single_logout_service': {
            saml2.BINDING_HTTP_REDIRECT: '[tenantId]/saml2',

You also have to add the following to the config:

'service': {
  # we are just a lonely SP
  'sp' : {
      'authn_requests_signed': False,
      'allow_unsolicited': True,
      'want_assertions_signed': True,
      'want_response_signed': False,

AzureAD Config

  • In you need to create a new Enterprise application. Choose "Non-gallery application".

    Dont use the "App registrations experience" as it will not give you the metadata.xml file you will need later.

  • Under "Single sign-on", choose SAML.

  • Set "Basic SAML Configuration to":

    Identifier (Entity ID)

    Reply URL (Assertion Consumer Service URL)

    Sign on URL

    Relay State Optional

    Logout Url

Set the "Claim name" name identifier format to "Persistent".

  • Set "User Attributes & Claims" to:

    urn:oid: user.givenname

    urn:oid:0.9.2342.19200300.100.1.1 user.userprincipalname

    urn:oid: user.surname

    urn:oid:0.9.2342.19200300.100.1.3 user.mail

    Unique User Identifier user.userprincipalname

Wrap up

Download the metadata.xml (its called "Federation Metadata XML" in the GUI) and place it somehwere that your app can find it:

Assign user and groups that you want to be able to login to your application:

And thats about it? Restart you application and see if thing works.

Tagged as : python django azure