(MS Azure SAML)Which IP/FQDN should be allow on Firewall

Sungsu Lee 1 Reputation point
2022-09-16T11:33:09.9+00:00

Which IP/FQDN should be allowed on the firewall to authenticate users with SAML(SSO) in a closed network?

Should I allow only the address below in the firewall?

login.microsoftonline.com

My firewall does not support "Asterisk*" for FQDN. ex) *.microsftonlline.com

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,372 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dillon Silzer 54,286 Reputation points
    2022-09-17T21:30:25.423+00:00

    Hi @Sungsu Lee

    See the following post for a similar question (Answered by JamesTran-MSFT):

    https://learn.microsoft.com/en-us/answers/questions/306128/azure-sso-minimum-firewall-rules-required.html

    When it comes to the SAML IPs/URLs, I was able to find a few more by looking at a Sample SAML Token:

    https://sts.windows.net
    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
    http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
    http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey

    Additional Link:
    Single Sign-On SAML protocol

    Hopefully this helps you.

    -----------------------------------

    If this is helpful please accept answer.

    0 comments