1. Choose the certificate for Snow License Manager

Decide whether you’ll use the existing SSL certificate installed on your Snow License Manager server or create a new one.

• If your environment already uses HTTPS for Snow License Manager, use the existing SSL certificate.
• If Snow License Manager isn’t configured with HTTPS, create a new certificate before proceeding.

The following steps can be used if you’re using the existing Snow License Manager certificate.

2. Configure Snow as a service provider

In the Snow License Manager configuration, set the following values:

<ServiceProvider 

   Name="https://snowwebaddress"

   AssertionConsumerServiceURL="https://snowwebaddress/federatedsecurity/saml/signin"

   LocalCertificateThumbprint="INSERT_SSL_CERTIFICATE_HASH_HERE">

•  Name → your Snow License Manager web URL
• AssertionConsumerServiceURL → Snow License Manager URL followed by /federatedsecurity/saml/signin
• LocalCertificateThumbprint → the certificate’s thumbprint

3. Update private key permissions

1. Open MMC and load the Certificates snap-in.
2. Right‑click the SSL certificate and select Manage private keys.
3. Grant Read permission to Network Service.

4. Create an enterprise application in Azure AD

1. In Azure AD, create a new enterprise application.
2. Go to Single sign-on.
3. Select SAML.

5. Enter the SAML identifiers

Populate the following Azure AD fields:

• Entity ID → matches the Snow License Manager ServiceProvider name
• Reply URL (Assertion Consumer Service URL) →
  https://snowwebaddress/federatedsecurity/saml/signin

Example:
https://snowlm/federatedsecurity/saml/signin

6. Upload the Snow License Manager certificate to Azure AD

Upload the certificate you identified earlier to the SAML Certificates section in Azure SSO.

7. Add identity provider settings in Snow

Use the values Azure AD provides at the bottom of the SSO configuration page:

Profile Name="INSERT_PROFILE_NAME_FROM_AZURE"

SignLogoutRequest="false"

WantSAMLResponseSigned="false"

WantAssertionSigned="true"

WantLogoutResponseSigned="false"

UseEmbeddedCertificate="true"

SignatureMethod="http://www.w3.org/2000/09/xmldsig#rsa-sha1"

SingleSignOnServiceUrl="VALUE_FROM_AZURE"

SingleLogoutServiceUrl="VALUE_FROM_AZURE"

PartnerCertificateFile="certificate\SnowSSO.cer"

• • Profile Name → starts with https://sts.windows.net/
  • SingleSignOnServiceUrl and SingleLogoutServiceUrl → both start with https://login.microsoftonline.com
  • PartnerCertificateFile → export the Azure AD certificate as Base64 (.cer) and store it in your Snow License Manager web folder
    • Example: certificate\SnowSSO.cer

8. Verify user access in Snow License Manager MACC

Ensure every user who needs to sign in is added in Snow MACC.

• Use the exact username format Azure AD sends in the SAML assertion.
• If the username doesn’t match, users may authenticate successfully but still receive an access‑denied message.

After completing these steps, users can authenticate to Snow License Manager using Azure AD SSO. Azure handles the identity verification, and Snow License Manager grants access based on matching user accounts.

Federated authentication with SAML