I have some exciting news to share. We are announcing the public preview for support of SAML token encryption in Azure Active Directory (Azure AD). Some organizations need encryption to meet internal security standards or compliance requirements. With this feature, you will be able to encrypt the SAML token that Azure AD sends to the application after a successful authentication.
I should note that tokens are always passed between Azure AD, the client browser, and the application they are destined for using encrypted transport links (HTTPS/TLS), so token contents are never on the wire in the clear regardless of whether token encryption is configured or not.
Now that Azure AD support SAML token encryption, you can go ahead and move applications requiring this capability from AD FS to work directly with Azure AD.
To configure an application registration for encryption:
From there you can upload a public certificate to use with your application. (The certificate you use will depend on your particular application. It may be one you generate and upload on both ends, or one you obtain from the application.)
SAML Token Encryption is a premium (P1/E3) feature. We expect general availability by the of March 2019. See our documentation for configuring an application for SAML token encryption. Let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.
Alex Simons (@Alex_A_Simons )
Corporate VP of Program Management
Microsoft Identity Division
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.