question

YoavCohen-8364 avatar image
0 Votes"
YoavCohen-8364 asked lvaroLanchoGonzlez-1966 answered

Sending SAML response to a different URL

Hello,

We are trying to establish SSO from Azure AD to an application, with a proxy in the middle. Assume the application URL is: example.app.com and the proxy URL is example.proxy.com. We would like Azure AD to send the SAML Response to example.proxy.net instead of sending it to example.app.com.

We were able to make this setup work in Okta, by setting the following values on our SAML 2.0 application:
Single sign on URL: https://example.proxy.net/login
Recipient URL: https://example.app.com/login
Destination URL: https://example.app.com/login
Audience URI (SP Entity ID): https://example.app.com/login

As you can see, we override the Single sign on URL with the proxy URL and then have to explicitly set the rest of the URL in order for the SAML assertion to be accepted by the application. In Okta, the description of the Single sign-on field says: The location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.

We are trying to recreate the same setup in Azure AD using an Enterprise Application but we can't find the equivalent field in Azure to Okta's Single sign-on in order for Azure to send the HTTP POST to our proxy. Can you help us find that field?

Thank you,
Yoav.










azure-ad-saml-sso
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, we are investigating your issue and will update you shortly!

0 Votes 0 ·

Thank you so much, James. It is holding back a major customer engagement for us. Appreciate the help.

Yoav.

0 Votes 0 ·

Hi, have you looked at this document? Check the setting shown here. You can edit them to your fit! 37770-microsoftteams-image-2.png

Please let me know if this helps!

Best,
James

0 Votes 0 ·

Hi, do you still require assistance? If not, please mark the answer as verified.

Thank you,
James

0 Votes 0 ·
YoavCohen-8364 avatar image
0 Votes"
YoavCohen-8364 answered JamesHamil-MSFT commented

Hi James,

Regarding the "Single Sign-On with SAML" settings, the problem we have is that if we change the Reply URL from https://example.app.com/login to https://example.proxy.net/login, the following happens:
1. Azure AD sends the HTTP POST request to the proxy - this is what we wanted
2. The SAMLResponse XML in the HTTP POST is incorrect - the Audience, Recipient, and Destination URLs point to https://example.proxy.net/login instead of https://example.app.com/login and the application rightfully rejects that.

What we are looking to do is find a way to change the URL Azure AD sends the HTTP POST to without affecting the content of the SAMLResponse XML. In Okta, this is supported by changing the "Single sign on URL" field to point to the proxy and setting the Audience, Destination, and Recipient fields to point to the application.

I will look into more details on how the Application Proxy might assist here.

Is there anyway to replicate what we have in Okta to Azure AD?

Thank you,
Yoav.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ah I see. Let me create an escalation request for you so we can replicate your issue.

Stay tuned,
James

0 Votes 0 ·
YoavCohen-8364 avatar image
0 Votes"
YoavCohen-8364 answered JamesHamil-MSFT commented

Thank you, James. If needed, I can provide all the technical details, test environments, etc.

Yoav.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Yoav, send me an email at AzCommunity@microsoft.com with subject: ATTN - James Hamil. Include your subscription ID and I can enable access to free customer support. Our escalation queue is large today and I want to fix this for you as fast as possible.

Best,
James

0 Votes 0 ·
galmik-0351 avatar image
0 Votes"
galmik-0351 answered galmik-0351 published

Hey - is there an answer to this question?
I am having the same issue here as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YoavCohen-8364 avatar image
0 Votes"
YoavCohen-8364 answered AlexSteer-4583 commented

While we have an open ticket with Microsoft on this, we ended up implementing a SAML proxy feature in our product. It works by presenting itself as the service provider to the IdP, and as the IdP to the application (in our case, Snowflake). The setup is more complex, as it requires another key pair to be generated and to change the application to trust the SAML proxy as an IdP, but it works well.

48026-image.png



image.png (27.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have exactly the same requirement.

I'd like to tell the AzureAD Enterprise Application to ignore what the SP includes in the redirect to the IdP and instead to enforce the default 'Reply URL (Assertion Consumer Service URL), always sending the user back to the AzueAD Administrator defined Reply URL after successful authentication.

Currently if there's a disagreement between what the SP thinks it's own URL and what the wider world sees it as, the user gets sent to a 'page cannot be displayed' page after successful authentication, thus the non default Reply URL option cannot be removed. As the YoavCohen-8364 accurately described, removing it also means the Enterprise Application sees the attempt as a 'miss'
![107169-screenshot.png][1]

The obvious solution would be an 'enforce default' button to ensure that the enterprise application always returns the administrator defined Reply URL.

Thanks

0 Votes 0 ·
lvaroLanchoGonzlez-1966 avatar image
0 Votes"
lvaroLanchoGonzlez-1966 answered

Hi,

We have the same problem with a QRadar instance behind Application Gateway and Azure AD single sign-on.

Any solution to fix the problem?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.