Create SAML application for Mirror Gateway using AAD
search cancel

Create SAML application for Mirror Gateway using AAD


Article ID: 272430


Updated On:


CASB Gateway Advanced


A SAML application must be created for MIG (Mirror Gateway) in AAD (Azure AD).


In order to configure user initiated mirror gateway flow do the following:

1. Create azure application in azure portal. Please make sure that this application has the same AD rules as your target application (such as office365).

2. Create mirror gateway application - This is currently done by the MiG team.


1. Creating an Azure application

1.1. go to Azure admin portal and navigate to Enterprise applications

1.2. Create “New Application” -> “Create your own application” -> “register an application to integrate with azure AD”

1.3. Update the ACS URL: In the redirect URI we will need to insert the “/acs” url from mirror gateway Activation email. If you don’t have it handy, you can leave it
blank and click on register, and fill it after MG setting is completed.

1.4. Assign user access privilege: Go to “users” settings and assign users\roles with this application.

Creating a test user.
In case you are trying MiG on a test tenant that has no created users on it, you could create a test user with the following attributes for testing. It’s not recommended to create the following on your production tenant but rather use an existing real username.

Creating a new user in AAD is achieved in powershell within a windows machine.

  • Connect to your tenant using powershell.
    $UserCredential = Get-Credential
    Connect-MsolService -Credential $UserCredential

  • Create the new user.
    • Replace <miguser> and XXX below with your own values.

      New-MsolUser -DisplayName " miguser " -UserPrincipalName
      [email protected] -Password "XXX " -FirstName mig -LastName
      user -ImmutableId miguser

1.5. Go to “endpoints” settings within the single-sign-on page:

Copy the “federation metadata document” and save it as local xml file (for example: idp_metadata.xml)

1.6. Go to “application ID URI” settings within the single-sign-on page:

Copy the string (usually starts with api://xxxx…) If no URI exists, create a new one and copy it.

1.7. Create a new xml file (call it auth_application.xml)

<?xml version="1.0" encoding="UTF-8" ?>
  <entityId> THE_URI_YOU_COPIED_ABOVE </entityId>

Replace the entityId with the URI you copied in the last step.

1.8. Above “application ID URI” there’s a new link to update “Redirect URIs”. If you didn't specify redirect uri in section 1.3, know you can change it later using this link.

Provide Broadcom with the 2 xml files.