SDL Tridion Sites 9.0 Integration with SAML 2.0 Azure Active Directory

This is my first blog of the year and also for SDL Tridion Sites 9.0, I would like to blog about my learning one of the great new feature SAML 2.0 support on SDL Tridion Sites 9.0.

Previously, Content Manager supported Single Sign-On (SSO) solutions that are now outdated and not Cloud-ready for the browser-based user interfaces (Content Manager Explorer and Experience Manager). Now, In the SDL Tridion Sites 9.0 product offers support for SAML 2.0, supporting both an Identity Provider-initiated (IdP-initiated) and a Service Provider-initiated (SP-initiated) scenario. User provisioning and group mapping are also supported.


SSO – SAML 2.0 Support

  • Use corporate accounts to log in
  • Support for login flows
    • Identity Provider (IDP) initiated
    • Service Provider (SP) Initiated
  • User provisioning with Group mappings
  • SDL Tridion Sites session / SAML token expiration and renewal


  • SDL Tridion Sites should be in HTTPS setup
  • Azure Active Directory
    • Azure Directory ID
    • Setup AD Users and Groups (note the group object id which needs to be mapped with CME Group identity provider later in this setup)
  • App Registrations
    • Display Name: SDL Tridion Sites 9.0
    • Application Type: Web app / API
    • App ID
    • Reply URL must be https://vagrant-2016/WebUI/ (always with/in the end)
    • In the application registration Manifest, make sure groupMembershipClaims set to All.

AzureAD: “real” Idp-initiated scenario is only available for Premium subscriptions

Steps to set up and activate SAML 2.0 in SDL Tridion Sites 9.0

  1. Open PowerShell Window As Administrator
  2. Go to [Tridion-Home]\bin\Configuration Scripts
  3. In order to enable SAML setup, It’s mandatory to keep SDL Web application to be in https
    1. Run this command to enable https on SDL Web .\ SetupHTTPS.ps1


  1. Copy SetupAzureIDP_params_sample.txt file from [Tridion-Home]\bin\Configuration Scripts\Samples\ to [Tridion-Home]\bin\Configuration Scripts\ folder and rename to SetupAzureIDP_params.txt and necessary to be modified as highlighted values in the image

Fields to modify in the AzureAD params sample:
Where SP_Audience is the Application ID
All Other IDs are Directory ID


Azure App Registration ID:




Azure Active Directory ID:


Azure Active Directory ID – To find it in the Azure Active Directory -> Properties


  1. Run .\SetupSAML.ps1


  1. Access CME and Authenticate with from Azure AD login page
  2. Access to CME Administrator -> User Management -> Groups and Create new Group called “External Authors” and then specify the Group Visibility of the publications
  3. In the External Authors Group Members tab – Add the azure Identity provider
  4. Note the Azure Group Object ID which needs to be mapped with CME Group identity provider
  5. Once the successful configuration of Azure Identity provider Group Mapping configuration and then It will automatically sync the Azure group Users to SDL Tridion Sites.




Thanks to Anton Minko for a good demo.

It was a really good happy learning knowledge and sharing.

I hope it helps if you have any questions, please direct your questions to Tridion StackExchange