This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 4%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYC%3C/text%3E%3C/svg%3E)
Hello,
We are trying to establish SSO from Azure AD to an application, with a proxy in the middle. Assume the application URL is: example.app.com and the proxy URL is example.proxy.com. We would like Azure AD to send the SAML Response to example.proxy.net instead of sending it to example.app.com.
We were able to make this setup work in Okta, by setting the following values on our SAML 2.0 application:
Single sign on URL: https://example.proxy.net/login
Recipient URL: https://example.app.com/login
Destination URL: https://example.app.com/login
Audience URI (SP Entity ID): https://example.app.com/login
As you can see, we override the Single sign on URL with the proxy URL and then have to explicitly set the rest of the URL in order for the SAML assertion to be accepted by the application. In Okta, the description of the Single sign-on field says: The location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.
We are trying to recreate the same setup in Azure AD using an Enterprise Application but we can't find the equivalent field in Azure to Okta's Single sign-on in order for Azure to send the HTTP POST to our proxy. Can you help us find that field?
Thank you,
Yoav.
Hi, we are investigating your issue and will update you shortly!
Thank you so much, James. It is holding back a major customer engagement for us. Appreciate the help.
Yoav.
Hi, have you looked at this document? Check the setting shown here. You can edit them to your fit! 
Please let me know if this helps!
Best,
James
Hi, do you still require assistance? If not, please mark the answer as verified.
Thank you,
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 55.00000000000001%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Hey - is there an answer to this question?
I am having the same issue here as well.
Hi James,
Regarding the "Single Sign-On with SAML" settings, the problem we have is that if we change the Reply URL from https://example.app.com/login to https://example.proxy.net/login, the following happens:
What we are looking to do is find a way to change the URL Azure AD sends the HTTP POST to without affecting the content of the SAMLResponse XML. In Okta, this is supported by changing the "Single sign on URL" field to point to the proxy and setting the Audience, Destination, and Recipient fields to point to the application.
I will look into more details on how the Application Proxy might assist here.
Is there anyway to replicate what we have in Okta to Azure AD?
Thank you,
Yoav.
Ah I see. Let me create an escalation request for you so we can replicate your issue.
Stay tuned,
James
Thank you, James. If needed, I can provide all the technical details, test environments, etc.
Yoav.
Hi Yoav, send me an email at AzCommunity@microsoft.com with subject: ATTN - James Hamil. Include your subscription ID and I can enable access to free customer support. Our escalation queue is large today and I want to fix this for you as fast as possible.
Best,
James
While we have an open ticket with Microsoft on this, we ended up implementing a SAML proxy feature in our product. It works by presenting itself as the service provider to the IdP, and as the IdP to the application (in our case, Snowflake). The setup is more complex, as it requires another key pair to be generated and to change the application to trust the SAML proxy as an IdP, but it works well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 63%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
I have exactly the same requirement.
I'd like to tell the AzureAD Enterprise Application to ignore what the SP includes in the redirect to the IdP and instead to enforce the default 'Reply URL (Assertion Consumer Service URL), always sending the user back to the AzueAD Administrator defined Reply URL after successful authentication.
Currently if there's a disagreement between what the SP thinks it's own URL and what the wider world sees it as, the user gets sent to a 'page cannot be displayed' page after successful authentication, thus the non default Reply URL option cannot be removed. As the YoavCohen-8364 accurately described, removing it also means the Enterprise Application sees the attempt as a 'miss'
![107169-screenshot.png][1]
The obvious solution would be an 'enforce default' button to ensure that the enterprise application always returns the administrator defined Reply URL.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 44%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi,
We have the same problem with a QRadar instance behind Application Gateway and Azure AD single sign-on.
Any solution to fix the problem?