Azure Enterprise application SAML SSO for additional access url in an existed web application

Eric Chen 96 Reputation points
2023-04-25T02:54:15.2266667+00:00

We're using Azure Enterprise application of azure AD that configured SAML SSO to access a web application that built in separate tenant. If we want to add additional access url for mobile access, Like: the current URL(for PC):

http://example.net the additional access(for Mobile): http://example.net/**mobile** the below URL configured in SSO would be the same, as the above page share same authentication at the backend.

    Reply URL (Assertion Consumer Service URL)

    Sign on URL

    Logout Url (Optional)

However,

    **Relay State (Optional)  is supposed to be different.** 

Do we need to create a new enterprise application for this mobile SSO? or add a new SAML SSO in the current enterprise application? SSO-Question

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-04-28T22:27:06.6166667+00:00

    @Anonymous ,

    To know how best to handle your scenario, it would be helpful if you could clarify what your goal is with the additional URL and if you are trying to use SP-initiated SSO or IDP-initiated SSO.

    If you want to add multiple relay state URLs the app needs to be set up for SP-initiated SSO and the Relay State value in set in the Azure portal only takes effect when using IDP-initiated SSO flow. Since SAML only provides browser-based SSO and isn't supported for mobile apps, a second URL shouldn't be required since everything would happen in the browser (unless there's a particular reason you would want to redirect users to a different spot).

    In order to add multiple (dynamic) RelayState URLs, your application needs to be set up to use SP-initiated SSO. The app needs to send the RelayState as a parameter in the SAML request so that Azure AD will return the same information in the SAML response.

    User's image

    See Enable single sign-on with SAML for more details.

    Since the RelayState is optional, if you just want to redirect the user after sign-in from the Azure side, you can add multiple reply URLs. To do this, you can go to the Single sign-on section and add the URL as a reply URL in the Reply URL (Assertion Consumer Service URL) field.

    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso

    Let me know if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who have similar questions.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.