25,080 questions
This is not good news. Unfortunately, the flow will be IDP. This was not an issue with Okta so I would hope that these types of customizations will be forthcoming in Azure.
Azure Active Directory - Entity ID - SSO
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 4%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Arroyo, Renee
116
Reputation points
I have 12 IBM applications that are to be configured as SSO all having the same Entity ID and ACS. The unique attribute is the relay state. Since Azure requires a unique entity ID/ACS for each application, how can this be done. I attempted to configure thru application registration, but there isn't a field to enter the relay state. Can this be done? Much appreciated!
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator2020-10-16T23:02:49.203+00:00 @Arroyo, Renee
Thank you for your post!When you say 'relay state', is that similar to a Redirect URI? Or is that just a unique attribute of users?
Can you provide any documentation/screenshots that you're following or referencing or using?Any additional info or screenshots is much appreciated! This way I can gain a better understanding of your question/issue.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue. -
Arroyo, Renee 116 Reputation points
2020-10-19T11:39:28.733+00:00 Hello James, yes, the Relay State will be used as a redirect. Once the user logs in, the Relay State will redirect the user to the specific application. Below is an example of the main application and a second application that has to use the same entity ID/ACS with a different relay state.
For example, the main application uses this:
Entity ID: https://idaas.iam.ibm.com/idaas/mtfim/sps/idaas/saml20
ACS: https://idaas.iam.ibm.com/idaas/mtfim/sps/idaas/saml20/login
Relay State: https://{mydomain}.ibm.comSecond Application:
Entity ID: https://idaas.iam.ibm.com/idaas/mtfim/sps/idaas/saml20
ACS: https://idaas.iam.ibm.com/idaas/mtfim/sps/idaas/saml20/login
Relay State: https://{dev-domain}.planning-analytics.ibmcloud.com/Thanks much,
Renee
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2020-10-19T21:06:45.803+00:00 @Arroyo, Renee
Thank you for the additional details!You said that you attempted to configure this through the application registration, was that not possible? Since the Relay State is going to be used as a redirect URI, you should be able to add it as a "Web" platform redirect URI.
I'll also reach out to my team regarding this issue to see if there's anyway we can add the Relay State.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue. -
Arroyo, Renee 116 Reputation points
2020-10-20T15:20:56.593+00:00 Hello James, yes I have them created with the relay state, but then there isn't a place to add the entity ID or ACS unless all three are added there.
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2020-10-20T16:43:44.957+00:00 @Arroyo, Renee
Thank you for the quick response and clarification! I've reached out to our product team regarding this information and will update as soon as possible.If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Sign in to comment
Accepted answer
-
Arroyo, Renee 116 Reputation points
2020-10-22T19:58:28.953+00:00 -
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2020-10-22T23:05:37.197+00:00 @Arroyo, Renee
Thank you for the quick response!I've relayed your response to our engineering team so they can consider this feature for future implementation. However, if you'd like to create a feature request, please feel free to do so using our User Voice forum.
Sign in to comment -
4 additional answers
Sort by: Most helpful
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2020-10-22T18:08:37.597+00:00 @Arroyo, Renee
Thank you for your time and patience, I received a response from our product team and will post it below.PG response:
It should work if you're using SP initiated flow and will add ?RelayState= to the request. For IdP initiated flow we only support one relay state.
You should be able to do this following the OASIS Security Assertion Markup Language (SAML) V2.0 Technical OverviewIf you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 94%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Randall Brownlee 1 Reputation point2021-07-29T21:09:37.027+00:00 @Arroyo, Renee -> Hello, did you ever wind up finding a solution in Azure for the exact scenario you're facing above?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 15%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPJ%3C/text%3E%3C/svg%3E)
Phil Jackson - ADMIN 6 Reputation points2021-08-17T15:38:35.673+00:00 This is an issue for me now. I am trying to migrate from Okta, and now I am hindered as I can't setup multiple VPN profiles, because they don't want the saml profile to have the same entity ID. This should be a simple fix to put in place. Okta did it perfectly.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 6%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIW%3C/text%3E%3C/svg%3E)
Ilan Wajsman 1 Reputation point2021-11-10T23:01:31.74+00:00 I'm having the same issue with multiple NetSuite environments. NetSuite is not allowing the same entity ID to more than one environment....Any updates?
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 36%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVA%3C/text%3E%3C/svg%3E)
Vidhya Athmanathan 0 Reputation points2023-05-17T17:03:02.95+00:00 I am encountering the same issue. I stumbled upon this thread. Any luck - anyone on getting this resolved with Azure? Thank you for your help.
Thanks,
-Vidhya