How to redirect a federated application to another Idp

Question

How to redirect a federated application to another Idp

julien deroche 131

Hello everyone,

I added Salesforce (as an example) to azure AD and I federated it (it works). I also added Workspace one access as another idp into Azure AD. I want my users they authenticate with Workspace One access idp instead of Azure AD. Is it possible to redirect the authentication? I didn't find any rules for that.

Thank you very much for your help.

Regards

Julian

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-10-10T03:57:05.45+00:00

Hi @julien deroche ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Accepted answer

1 additional answer

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-10-10T03:57:05.45+00:00

Hi @julien deroche ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @julien deroche ,

Thanks for reaching out.

Yes, it is possible to redirect the authentication to Workspace One access IDP instead of Azure AD. You can achieve this by configuring the Home Realm Discovery (HRD) policy in Azure AD. HRD policy is used to determine which identity provider (IDP) should be used to authenticate a user based on the user's email domain.

Once users enter their UPN, if they belong to a federated domain, they will be redirected to the sign-in page of the Identity Provider (IdP) associated with that domain.

Reference : https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/home-realm-discovery-policy

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

julien deroche 131 Reputation points

2023-09-29T11:34:04.7533333+00:00
Hi Shweta Mathur !

Thank you very much for your answer, is it mandatory to federate the domain? I'd like to do this scenario

Setting up HRD policy to do auto-acceleration for an application to one of several domains that are verified for your tenant.

I didn't see the powershell command for that.

Do I need to set the "AccelerateTo FederatedDomain" to false?

I didn't see in the documentation where we can find which idp we want for this application either.

Thank you in advance for your help

New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`":true}}") -DisplayName BasicAutoAccelerationPolicy -Type HomeRealmDiscoveryPolicy

Shweta Mathur 30,296 Microsoft Employee Moderator

julien deroche

Yes, it is mandatory to federate the domain in order to use HRD policy for auto-acceleration.

You can specify the preferred domain in the HRD policy definition. Here is an example of how to create an HRD policy that auto-accelerates users to a verified domain.

New-AzureADPolicy      -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`":true, `"PreferredDomain`":`"federated.example.edu`"}}")      -DisplayName MultiDomainAutoAccelerationPolicy      -Type HomeRealmDiscoveryPolicy

AccelerateToFederatedDomain	Boolean	Set to true for auto-acceleration (bypass home realm discovery). If true and there's only one verified and federated domain in the tenant, then users are taken straight to the federated identity provider (such as ADFS) for sign in. If true and there's more than one verified domain in the tenant, PreferredDomain must be specified. Optional.

Reference - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal?pivots=powershell-hrd#create-an-hrd-policy

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Answer 2

julien deroche 131

Hello Shweta,

Thank you for your answer, I had to choose another solution, it's all or nothing and it's not possible for the customer.

Thank you again

Share via

How to redirect a federated application to another Idp

1 additional answer

Your answer