question

RT-7199 avatar image
0 Votes"
RT-7199 asked RT-7199 answered

Why Enterprise Application using ADFS?

We have federated Azure AD and are using PHS. I added cloudflare enterprise application, but when we login to that app user is getting redirected to on-prem ADFS. Should a user not get authenticated directly in Azure without being redirected to ADFS for an application registered in Azure. I can see the sign-in attempts under the enterprise application though.

azure-active-directoryadfsazure-ad-app-registration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JaiVerma-7010 avatar image
1 Vote"
JaiVerma-7010 answered RT-7199 edited

What is the username a user type? Is that domain still federated? For example, if user name is jai@contoso.com and contoso.com is still federated, this could be one reason, user gets redirected to ADFS.

Run command - Get-MSOLFederationProperty and see if the domain still shows as federated.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JaiVerma-7010 User type is member, and Domain is federated. If authentication request still has to reach on-prem adfs server after registering the application in Azure, how are we supposed to migrate applications 1 by 1 and use Azure AD as IDP.

The only option I can think of is adding users to the group under this option

136859-untitled.png

Name Status Authentication


contoso1.mail.onmicrosoft.com Verified Managed
contoso1.onmicrosoft.com Verified Managed
aab.contoso.com Verified Federated
abc.contoso.com Verified Federated
contoso.com Verified Federated
sdf.contoso.com Verified Federated
edc.contoso.com Verified Federated
qwe.contoso.com Verified Federated
qsc.contoso.com Verified Federated
qs.contoso.com Verified Federated


0 Votes 0 ·
untitled.png (56.3 KiB)
piaudonn avatar image
0 Votes"
piaudonn answered RT-7199 commented

It is possible for an application de force a fresh authentication. In that case, that auth flow would go back all the way to ADFS.
Could you capture a Fiddler trace during one of these redirections?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@piaudonn here is the fiddler trace. I am not sure what i need to specifically check. This test account is part of the SSPR enabled group but has not registered authentication methods which is why you will see mysign urls, as after authentication AzureAD asks for more information.

137135-fiddler.png


0 Votes 0 ·
fiddler.png (80.1 KiB)

Need the query strings (URL parameters).

0 Votes 0 ·
MrSbaa avatar image
0 Votes"
MrSbaa answered MrSbaa commented

It depends ofcourse who your identity provider is with this new enterprise application. Contact the owner of the application and verify the SAML settings. It might be pointing to ADFS instead of Azure AD. And also, if your domain is federated and you have enabled password hash sync, the password hash sync will not be used until you convert the domain to a standard domain or use Azure AD staged roll-out.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MrSbaa So salesforce is configured to uses single sign-on and the login is happening after we click the Azure tab at the login screen which redirects it to Microsoft login page customized with our logo and after entering the upn/email there it redirects to on-prem adfs.

Below is how single sign-on is configured on salesforce end.
137136-image.png
137192-image.png
137162-image.png
137107-image.png

So if understand you correctly I have 3 options
- either we migrate all our apps at once to Azure and disable federation, which seems impossible and many apps as per migration report need additional steps.
- migrate them one by one with same result as we see today untill all the apps are migrated and the disable federation in the end
- or use staged roll-out and still convert apps one by one but this time with no redirection to ADFS, and the disable federation in the end.

I can confirm last option works as my own account is part of staged roll-out but the test account is not. And I was expecting with enterprise app we would not need staged roll-out.
I don't know if federation/adfs has its uses after migration as that is not my area of expertise, but still it be good to know.



0 Votes 0 ·
image.png (17.6 KiB)
image.png (167.8 KiB)
image.png (18.6 KiB)
image.png (11.3 KiB)

You understand it correctly now.

Microsoft recommends to move away from ADFS and use PHS or PTA. I would say stick to staged rollout + migrate your apps one-by-one for a smooth transition. Once you have no apps anymore linked to ADFS, you can convert your domain from federated to standard and decomission ADFS. Keep in mind that if you are not using AAD staged roll-out, password hash sync will only be used as fallback and that any user authenticating will always go to ADFS first because your domain is federated.

0 Votes 0 ·
RT-7199 avatar image
0 Votes"
RT-7199 answered

@piaudonn thanks for editing the screenshot. Here is the screenshot from claims x ray. But I made a change before I tested this even for salesforce. I removed the test account from the group included under password reset. And I don't see redirection happening to on-prem adfs any more. So does that mean because the test account is part of this group it is being forced to reauthenticate.
137286-image.png

Also i see we have a group with few users under password hash sync for staged roll out but there is none under single sign-on
137326-image.png


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.