Enterprise SSO with Microsoft Entra ID for Rec Centers

Overview

Successfully implemented Single Sign-On (SSO) integration for 4 recreation center sites across 8 environments (production and training) using Microsoft Entra ID and ADFS SAML. This comprehensive guide covers the entire implementation journey from planning to deployment.

Project Scope

• Sites: 4 recreation center websites (Rec Center 1, Rec Center 2, Rec Center 3, and Rec Center 4)
• Environments: 8 total (4 production + 4 training)
• Integration: Microsoft Entra ID with ADFS SAML
• User Management: Active Directory groups with PowerShell automation
• Timeline: 3-month implementation period
• Deliverables: Architecture design, rollout plan, SSO runbook, user analysis, automation scripts, testing framework

Project Deliverables

Architecture Design

• Format: DrawIO diagrams
• Content: System architecture, SAML flow, network topology
• Purpose: Technical blueprint for implementation

Rollout Plan

• Format: Word document
• Content: Detailed implementation schedule, risk mitigation, stakeholder communication
• Purpose: Project management and change control

SSO Setup Runbook

• Format: Word document
• Content: Step-by-step configuration procedures, troubleshooting guides
• Purpose: Operational documentation and knowledge transfer

User Analysis

• Format: Excel workbook
• Content: Active user inventory, profile analysis, group assignments
• Purpose: User provisioning and access management

Automation Scripts

• Format: PowerShell scripts
• Content: Security group creation, AD user provisioning, group management
• Purpose: Automated user lifecycle management

Testing Framework

• Format: Playwright test suites
• Content: End-to-end SSO testing, user journey validation
• Purpose: Quality assurance and regression testing

Phase 1: Solution Design and Research

Vendor Collaboration and Solution Architecture

1. Requirements Analysis
2. Engaged with vendor support teams to identify optimal SSO solution
3. Evaluated multiple authentication providers

4. Selected Microsoft Entra ID for enterprise-grade security and scalability

5. Technical Design

6. ADFS SAML integration architecture
7. Attribute mapping configuration
8. Federation trust establishment
9. Security token service configuration

SAML Authentication Flow

sequenceDiagram
    participant U as User
    participant B as Browser
    participant E as Entra ID (IdP)
    participant A as ADFS
    participant RP as Rec Center 1
    participant SE as Rec Center 2
    participant SI as Rec Center 3
    participant PA as Rec Center 4

    U->>B: Access Recreation Center App
    B->>E: Redirect to Entra ID
    E->>A: Authenticate via ADFS
    A->>E: Return SAML Assertion
    E->>B: Forward SAML Response
    B->>RP: Submit SAML to App
    RP->>B: Authentication Success
    B->>U: Grant Access

Security and Privacy Compliance

• Collaborated with security and privacy teams for design review
• Ensured compliance with organizational security policies
• Implemented data protection measures
• Completed risk assessment and mitigation planning

Phase 2: Planning and Stakeholder Management

Rollout Strategy

Created a comprehensive rollout plan prioritizing risk mitigation:

Implementation Timeline

gantt
    title SSO Implementation Timeline (3 Months)
    dateFormat  YYYY-MM-DD
    section Phase 1: Research
    Vendor Collaboration      :done, research1, 2026-01-01, 2w
    Solution Design          :done, research2, after research1, 2w
    Security Review          :done, research3, after research2, 1w

    section Phase 2: Planning
    User Inventory           :done, plan1, 2026-02-01, 1w
    Stakeholder Engagement   :done, plan2, after plan1, 2w
    Rollout Strategy         :done, plan3, after plan2, 1w

    section Phase 3: Training
    AD Setup                 :active, train1, 2026-02-15, 1w
    PowerShell Scripts       :train2, after train1, 1w
    Entra Configuration      :train3, after train2, 1w
    UAT Testing              :train4, after train3, 2w

    section Phase 4: Production
    CAB Approval             :prod1, 2026-03-15, 1w
    ReC Center 1 Deploy    :prod2, after prod1, 1w
    ReC Center 2 Deploy          :prod3, after prod2, 1w
    ReC Center 3 Deploy       :prod4, after prod3, 1w
    ReC Center 4 Deploy         :prod5, after prod4, 1w

1. Site Selection Criteria
2. User volume analysis
3. Business impact assessment
4. Technical complexity evaluation

5. Change readiness assessment

6. Stakeholder Engagement

7. Recreation center managers and supervisors
8. Network infrastructure team
9. Security and compliance teams
10. Change Advisory Board (CAB)

User Inventory and Verification

1. Data Collection
2. Extracted active users from all production environments
3. Compiled comprehensive user directory

4. Identified role-based access requirements

5. Verification Process

6. Coordinated with rec center managers for user validation
7. Confirmed user roles and permissions
8. Ensured data accuracy before migration

Phase 3: Training Environment Implementation

Active Directory Infrastructure Setup

1. Group Creation Strategy
2. Designed hierarchical AD group structure
3. Implemented role-based access control (RBAC)

4. Created environment-specific groups for isolation

5. PowerShell Automation

   • Automated security group creation and management across environments.
   • Consistent AD user provisioning and deprovisioning workflows.
   • Idempotent scripts to prevent configuration drift.
   • Auditable operations via scripted deployments and logging.
   • Fast bulk user and group updates for large directories.
   • Enables repeatable environment setup for training and production.

Network Infrastructure Configuration

1. Entra Application Setup
2. Created enterprise applications in Entra ID
3. Configured SAML integration settings

4. Established federation trusts

5. SAML Attribute Mapping

6. Mapped user attributes between AD and SAML claims
7. Configured name identifier format
8. Set up attribute-based authorization

System Architecture

graph TD
    AD[Active Directory] -->|User Sync| Entra[Microsoft Entra ID]
    Entra -->|SAML 2.0| ADFS[ADFS Federation]
    ADFS -->|SAML Assertions| RP[Rec Center 1]
    ADFS -->|SAML Assertions| SE[Rec Center 2]
    ADFS -->|SAML Assertions| SI[Rec Center 3]
    ADFS -->|SAML Assertions| PA[Rec Center 4]

    PS[PowerShell Scripts] -->|Group Management| AD
    WT[Playwright Tests] -->|Validation| RP
    WT -->|Validation| SE
    WT -->|Validation| SI
    WT -->|Validation| PA

User Acceptance Testing (UAT)

1. Test Plan Development
2. Created comprehensive test scenarios
3. Defined success criteria

4. Established rollback procedures

5. UAT Execution

6. Coordinated with recreation center staff
7. Validated authentication flows
8. Tested role-based access controls

9. Documented and resolved issues

10. Playwright Automated Testing

    • Reproducible end-to-end SSO validation across environments.
    • Automated regression checks for login flows, attribute mapping, and RBAC.
    • Captures traces, screenshots, and video to speed debugging.
    • Reduces manual UAT effort and shortens release verification time.

Phase 4: Production Deployment

Change Management Process

1. Service Request Preparation
2. Documented technical implementation details
3. Prepared risk assessment and mitigation strategies

4. Created deployment and rollback plans

5. Change Advisory Board Approval

6. Presented business case and technical approach
7. Demonstrated successful training environment implementation
8. Obtained formal approval for production deployment

Production Deployment Strategy

1. Phased Rollout Approach
2. Site-by-site deployment to minimize risk
3. Real-time monitoring and validation

4. Rapid issue resolution protocols

5. Post-Deployment Validation

6. Authentication success rate monitoring
7. User experience validation
8. Performance metrics collection

Troubleshooting SSO Integration

Browser-Based SAML Response Analysis

Step 1: Capture SAML Response

1. Open browser developer tools (F12)
2. Navigate to Network tab
3. Clear existing network traffic
4. Initiate SSO login process
5. Look for SAML POST requests in network log

Step 2: Extract and Decode SAML Data

1. Right-click on SAML POST request
2. Copy form data (SAMLResponse parameter)
3. Use Base64 decoder to extract XML content
4. Validate SAML assertion structure

Step 3: Verify Required Attributes

Ensure the following attributes are correctly mapped: - Last Name: sn or lastName - First Name: givenName or firstName - Email: mail or emailAddress - Profile/Role: role or memberOf - Location: department or physicalDeliveryOfficeName

Common Issues and Solutions

• Missing Attributes: Check Entra ID attribute mapping configuration
• Incorrect Values: Verify AD user profile data completeness
• Certificate Errors: Validate SAML certificate trust chain
• Time Sync Issues: Ensure IDP and SP system time synchronization

Key Success Factors

Technical Excellence

• Comprehensive testing in training environment
• Automated user provisioning processes
• Robust error handling and logging
• Scalable architecture design

Project Management

• Detailed planning and risk assessment
• Stakeholder engagement throughout the process
• Clear communication channels
• Change management compliance

Security Considerations

• Principle of least privilege implementation
• Multi-factor authentication enforcement
• Regular security audits and compliance checks
• Comprehensive logging and monitoring

Lessons Learned

Technical Insights

1. Environment Isolation: Separate training and production environments prevent cross-contamination
2. Automation Benefits: PowerShell scripts reduced manual errors and accelerated deployment
3. Attribute Mapping: Careful SAML attribute configuration prevents authentication issues

Project Management Insights

1. Stakeholder Communication: Early engagement prevents delays and ensures alignment
2. Risk Mitigation: Starting with low-impact sites builds confidence and refines processes
3. Documentation: Comprehensive documentation facilitates knowledge transfer and troubleshooting

Results and Impact

Quantitative Results

• 4 recreation center sites successfully integrated with SSO
• 8 environments (4 production + 4 training) deployed
• 100% user authentication success rate in production
• 50% reduction in login-related support tickets

Qualitative Benefits

• Enhanced security posture with centralized authentication
• Improved user experience with seamless login
• Simplified user management through automated provisioning
• Compliance with organizational security standards

Future Enhancements

Planned Improvements

1. Multi-Factor Authentication (MFA): Implement conditional access policies
2. Just-In-Time Access: Dynamic privilege escalation for administrative tasks
3. Advanced Monitoring: Real-time security analytics and threat detection
4. Mobile Optimization: Enhanced mobile authentication experience

Scalability Considerations

• Architecture supports additional site integrations
• Automated processes enable rapid deployment
• Flexible attribute mapping accommodates diverse applications

Conclusion

This successful SSO implementation demonstrates the value of comprehensive planning, stakeholder collaboration, and technical excellence in enterprise security projects. The solution provides a secure, scalable foundation for authentication across multiple recreation center platforms while maintaining compliance with organizational security standards.

The project showcases expertise in Microsoft Entra ID, SAML integration, PowerShell automation, and enterprise change management—skills valuable for any organization seeking to modernize their authentication infrastructure.

Connect and Learn More

Interested in discussing enterprise SSO implementations or have questions about this project? Let's connect on LinkedIn to share insights and experiences in identity and access management.

EnterpriseSSO #MicrosoftEntra #SAML #IdentityManagement #PowerShell #Cybersecurity