question

ADMINPARKERJordan-3345 avatar image
0 Votes"
ADMINPARKERJordan-3345 asked JamesTran-MSFT commented

Azure SSO - Minimum firewall rules required?

Hello,

I have an isolated network with no internet access that presently authenticates to resources they need via AD FS. We're in the process of migrating all of our SSO relationships to Azure AD, and so I need to provide the minimum level of internet access required for this network to reach Azure's SAML authentication services in order to migrate.

I'm able to permit this access via URLs or IP ranges, but just can't figure out what they should be. All of the documentation I've managed to find lists all of the URLs and IPs required for full O365/Azure access, but I haven't found any that speak to just the SAML authentication services.

In packet captures I can see that the following are used:

I'd rather not gamble that Microsoft won't add any new domains to that list though, and would prefer to make this exception based on official documentation, if available.

Does anyone know if such a list of IPs/URLs exists?



azure-ad-saml-sso
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ADMINPARKERJordan-3345
Thank you for your post and I apologize for the delayed response!

When it comes to the SAML IPs/URLs, I was able to find a few more by looking at a Sample SAML Token:

https://sts.windows.net
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey

Additional Link:
Single Sign-On SAML protocol


I hope this helps! If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

@ADMINPARKERJordan-3345
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

0 Votes 0 ·

0 Answers