Azure Enterprise application SAML SSO for additional access url in an existed web application

Question

Azure Enterprise application SAML SSO for additional access url in an existed web application

Eric Chen 96

We're using Azure Enterprise application of azure AD that configured SAML SSO to access a web application that built in separate tenant. If we want to add additional access url for mobile access, Like: the current URL(for PC):

http://example.net the additional access(for Mobile): http://example.net/**mobile** the below URL configured in SSO would be the same, as the above page share same authentication at the backend.

    Reply URL (Assertion Consumer Service URL)

    Sign on URL

    Logout Url (Optional)

However,

    **Relay State (Optional)  is supposed to be different.**

Do we need to create a new enterprise application for this mobile SSO? or add a new SAML SSO in the current enterprise application? SSO-Question

Liston Dickerson 0 Reputation points

2025-04-10T14:31:08.94+00:00

Old thread but this may be helpful to someone looking for a solution.

I set up an Enterprise Application and configured SAML, leaving the Relay State blank. Copy the User Access URL from the properties page and save for later.

For each Relay State URL, I created an additional Enterprise Application. Under Single Sign-On, I selected Linked, pasted the User Access URL into the Sign On URL field and appended &RelayState=<RELAYSTATEURL>. The Relay State URL needs to be encoded, otherwise you receive a URL error.

The full URL should look similar to this if the relay state URL is https://app.relaystate.com:

https://myapps.microsoft.com/signin/<APPID>?tenantId=<TENANTID>&RelayState=https%3A%2F%2Fapp.relaystate.com

The original EA with the SAML configuration should be set to NO for Visible to users.

If you are assigning different users/groups to the linked applications, all assigned users to each of the applications need to be assigned to the original EA with the SAML config.

1 answer

Your answer

Liston Dickerson 0 Reputation points

2025-04-10T14:31:08.94+00:00

Old thread but this may be helpful to someone looking for a solution.

I set up an Enterprise Application and configured SAML, leaving the Relay State blank. Copy the User Access URL from the properties page and save for later.

For each Relay State URL, I created an additional Enterprise Application. Under Single Sign-On, I selected Linked, pasted the User Access URL into the Sign On URL field and appended &RelayState=<RELAYSTATEURL>. The Relay State URL needs to be encoded, otherwise you receive a URL error.

The full URL should look similar to this if the relay state URL is https://app.relaystate.com:

https://myapps.microsoft.com/signin/<APPID>?tenantId=<TENANTID>&RelayState=https%3A%2F%2Fapp.relaystate.com

The original EA with the SAML configuration should be set to NO for Visible to users.

If you are assigning different users/groups to the linked applications, all assigned users to each of the applications need to be assigned to the original EA with the SAML config.

Answer 1

@Anonymous ,

To know how best to handle your scenario, it would be helpful if you could clarify what your goal is with the additional URL and if you are trying to use SP-initiated SSO or IDP-initiated SSO.

If you want to add multiple relay state URLs the app needs to be set up for SP-initiated SSO and the Relay State value in set in the Azure portal only takes effect when using IDP-initiated SSO flow. Since SAML only provides browser-based SSO and isn't supported for mobile apps, a second URL shouldn't be required since everything would happen in the browser (unless there's a particular reason you would want to redirect users to a different spot).

In order to add multiple (dynamic) RelayState URLs, your application needs to be set up to use SP-initiated SSO. The app needs to send the RelayState as a parameter in the SAML request so that Azure AD will return the same information in the SAML response.

User's image

See Enable single sign-on with SAML for more details.

Since the RelayState is optional, if you just want to redirect the user after sign-in from the Azure side, you can add multiple reply URLs. To do this, you can go to the Single sign-on section and add the URL as a reply URL in the Reply URL (Assertion Consumer Service URL) field.

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso

Let me know if you have further questions.

If the information helped you, please Accept the answer. This will help us as well as others in the community who have similar questions.

Share via

Azure Enterprise application SAML SSO for additional access url in an existed web application

1 answer

Your answer