SAML multi-instancing

Question

SAML multi-instancing

testuser7 276

Hello

what is SAML multi-instancing ?? https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-app-multi-instancing

Per doc, app multi-instancing refers to the need for the configuration of multiple instances of the same application within a tenant.

So does that mean that there would be SINGLE app-object and multiple Service-principal object for any SAML app pulled up from the gallery ??

Thanks.

JamesTran-MSFT 36,871 Reputation points Microsoft Employee

2023-08-14T20:25:23.0266667+00:00

@testuser7

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

2 answers

Your answer

JamesTran-MSFT 36,871 Reputation points Microsoft Employee

2023-08-14T20:25:23.0266667+00:00

@testuser7

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Brian Zarb 1,670

SAML multi-instancing in Azure Active Directory allows you to set up multiple configurations for the same app within one tenant. Imagine you have one app but need different settings for various departments. With multi-instancing, you'd still have one main app, but you can create multiple service principal objects for each unique setup. So, for an app you grab from the gallery, it remains a single app, but you can have many service principal configurations for it. Hope that clears it up!

testuser7 276 Reputation points

2023-08-09T18:24:12.0033333+00:00

Thanks @Brian Zarb

It is getting clear once you tell me how can I create second service-principal for the app that I just brought from gallery ?
testuser7 276 Reputation points

2023-08-09T18:25:12.1+00:00

Thanks @Brian Zarb

It is getting clear once you tell me how can I create second service-principal for the app that I just brought from gallery ?
Brian Zarb 1,670 Reputation points

2023-08-09T18:47:40.07+00:00

Sure, go to Enterprise application in Azure Add a new instance:

Click on the "+ New application" button.Now, instead of searching the gallery, select the application you brought earlier from the gallery. This would essentially be creating another instance of the same app.

Configure the new instance: After adding, you can set it up just like you did for the first one. This means assigning users/groups, setting up single sign-on, configuring permissions, etc.

Get the Service Principal: Each instance you add of an application gets its own service principal. To view these:Go back to the main Azure Active Directory blade.Select "App registrations".You will now see all the application registrations, which includes service principals. Here, you should see multiple entries for the application you brought from the gallery, each with its unique service principal.

You can differentiate between the instances using their unique Application (client) ID or by the date of creation.
testuser7 276 Reputation points

2023-08-09T19:03:33.9433333+00:00

Wow, this is something new I am going to try out. Let me do it. Will update you.

Thanks @Brian Zarb
Brian Zarb 1,670 Reputation points

2023-08-09T19:09:19.73+00:00

Yes n please let me know as i had something similar at it fixed my issue !
testuser7 276 Reputation points

2023-08-10T13:59:12.42+00:00

Hi @Brian Zarb

Tried to follow your instructions.

i.e.,

Click on the "+ New application" button.Now, instead of searching the gallery, select the application you brought earlier from the gallery. This would essentially be creating another instance of the same app

How do I select the original application that I brought a minute ago ??

It is always creating a new app-object and service-principal.

we want the SAME app-object with another service-principal.
Brian Zarb 1,670 Reputation points

2023-08-10T14:30:38.9733333+00:00

The service principal is unique, if you require a different one you'd have to create a new app instance.

You can have multiple app instances pointing at the same appliance, i personally have that setup in my tenant and never gave me issues

If you want to select an existing instance go to (Applications ->Enterprise apps) and under the 'all applications' in the search bar you can search for your existing apps. If you dont see it there then the instance might need to be re created
testuser7 276 Reputation points

2023-08-10T14:36:53.4833333+00:00

I guess you did NOT get the whole point of this thread i.e., SAML multi-instancing

Pasting my original line ...

So does that mean that there would be SINGLE app-object and multiple Service-principal object for any SAML app pulled up from the gallery ??
Brian Zarb 1,670 Reputation points

2023-08-10T15:04:25.9633333+00:00
I understand the confusion, and I apologize for the oversight. To answer your question directly:

Yes, with SAML multi-instancing, the idea is to have a SINGLE app-object (Application Registration) with MULTIPLE service principal objects within a tenant.

This way, you can maintain one central app definition (app-object) but have unique configurations for the application for different scenarios or departments (service principals).

When you are trying to set this up in Azure Active Directory:

Create the initial application in Azure AD from the gallery.

This will create both the app-object (in App registrations) and its associated service principal (in Enterprise applications).

For multi-instancing, you'd typically create additional service principals for this existing app-object. Each of these service principals can then have their unique configurations. Azure AD allows creating multiple service principals for a single app-object, but it's crucial to ensure you're not inadvertently creating new app-objects instead.

So in summary, you have to create this through the Enterprise Applications tab as it refers to the existing app objects which where registered. I hope this is clear enough.
testuser7 276 Reputation points

2023-08-10T15:31:36.7733333+00:00

Thanks @Brian Zarb

So again pasting the my same line ....

"It is getting clear once you tell me how can I create second service-principal for the app that I just brought from gallery ? ? "
testuser7 276 Reputation points

2023-08-10T16:12:52.18+00:00

I think you are trying hard but still missing the point. Let's call it off.

my suggestion is read the SAML multi-instancing document and see if it makes sense.

If I understood correctly, there can not be another app-object.
Brian Zarb 1,670 Reputation points

2023-08-10T16:26:43.1233333+00:00

apologize for any confusion, and I appreciate your patience.

Answer 2

Find Your App: Head over to the Azure portal. Go to "Azure Active Directory" then "App Registrations." You'll see a list of apps. Find the one you just added from the gallery.

Add a New Service Principal: Now, normally, every app you add automatically gets its own "service principal" (think of it as a unique settings profile). But you want to add a second one, right? This is where things get a bit tricky. Azure AD doesn't have a straightforward "add another service principal" button for an existing app.

Workaround: The typical approach in Azure AD to achieve the effect of "multi-instancing" is to add the app again. I know it sounds like you're doubling up, but bear with me. When you add it again, you're essentially creating another instance of the same app, and it gets its own unique service principal. This way, you can configure different settings for the same app.

Differentiate: Later, if you're trying to figure out which service principal is which, you can identify them by their unique ID or by their creation date.

It might not be as straightforward as we'd like, but that's the workaround folks have been using. Hope this clarifies things a bit more! Let me know if there's anything else. 😊

Share via

SAML multi-instancing

2 answers

Your answer