Why does “signInAudience”: “AzureADMultipleOrgs” cause 'The URI scheme is invalid or unsupported'

Said Rahmani 6

I am getting an error when trying to switch the Supported account types to: Accounts in any organizational directory (Any Azure AD directory - Multitenant)

I am using as IdentifierUris the amazon cognito urn:amazon:cognito:sp:XXXXXXXXXXX

alt text

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-01-15T17:47:12.343+00:00

@Said Rahmani , Are you trying to specify "urn:amazon:cognito:sp:XXXXXXXX" under the reply URL option present under "Azure AD > App Registration > App-Name > Authentication > Reply URL Section" and then selecting the radio button to toggle from single tenant to multitenant?

Or you have specified the IdentifierURI as "urn:amazon:cognito:sp:XXXXXXXXX" under "Enterprise applications - All applications >> Categories >> Add an application >> {App Name} - Single sign-on >>SAML-based Sign-on " and then just while trying to toggle from SingleTenant to MultiTenant is throwing that error?

Reason, I ask is if its the second case that I mentioned, I was able to repro the same in lab and got the same error you mentioned. According to this I believe this is a bug and I have reported the same to the backend team. But I believe the main issue is not able to toggle from singleTenant to multiTenant using the available Radio button under the App Registration section.
soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-01-17T05:22:35.13+00:00

@Said Rahmani , Just wanted to followup if you got a chance to check on the previous response. As your answers would really help us with the further investigation that is on-going in the backend.
Said Rahmani 6 Reputation points

2020-01-17T14:09:59.593+00:00

@soumi-MSFT ,thanks for your reply, sorry i was busy in the previous days,

so, I have specified the IdentifierURI IdentifierURI as "urn:amazon:cognito:sp:XXXXXXXXX" in the manifest of the app, and when i try to toggle from singleTenant to multiTenant i got error
soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-01-19T12:34:34.563+00:00

@Said Rahmani , Thank you for sharing the update. Similar issue I also faced while trying to achieve the same in my lab and hence working further on this to figure out the reason.
Stay tuned on this, will get back with some more updates shortly.

2 answers

FrankHu-MSFT 976 Reputation points

2020-01-21T18:13:59.923+00:00

Hello,
The reason you're getting this error is because for multi-tenant AAD Application Registrations, with a multi-tenant app, the App ID URI has to be in a verified domain in your Azure AD and globally unique.

Reference document for more details: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant.

Azure AD supports SAML protocol and it looks like you've done this already but just for extra reference see the info below.

The application you register in App registration is usually used for OAuth/OpenID Connect protocol.

To integrate SAML in Azure AD, please refer to this document: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-non-gallery-app and register a non-gallery application in Enterprise applications.

Go to Azure portal > Azure Active Directory > Enterprise applications > New application > Non-gallery applications. Please kindly note this requires Azure AD Premium license.

And follow this link: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications to configure SAML authentication. Then I believe you could access your system(cognito) with Azure AD accounts using SAML.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Rahat 1 Reputation point

2020-01-21T18:33:47.803+00:00

Thank you for sharing the update. Similar issue
Please sign in to rate this answer.

0 comments No comments
Sign in to comment