This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 4%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYC%3C/text%3E%3C/svg%3E)
Hello,
We are trying to establish SSO from Azure AD to an application, with a proxy in the middle. Assume the application URL is: example.app.com and the proxy URL is example.proxy.com. We would like Azure AD to send the SAML Response to example.proxy.net instead of sending it to example.app.com.
We were able to make this setup work in Okta, by setting the following values on our SAML 2.0 application:
Single sign on URL: https://example.proxy.net/login
Recipient URL: https://example.app.com/login
Destination URL: https://example.app.com/login
Audience URI (SP Entity ID): https://example.app.com/login
As you can see, we override the Single sign on URL with the proxy URL and then have to explicitly set the rest of the URL in order for the SAML assertion to be accepted by the application. In Okta, the description of the Single sign-on field says: The location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.
We are trying to recreate the same setup in Azure AD using an Enterprise Application but we can't find the equivalent field in Azure to Okta's Single sign-on in order for Azure to send the HTTP POST to our proxy. Can you help us find that field?
Thank you,
Yoav.
Hi, we are investigating your issue and will update you shortly!
Thank you so much, James. It is holding back a major customer engagement for us. Appreciate the help.
Yoav.
Hi, have you looked at this document? Check the setting shown here. You can edit them to your fit! 
Please let me know if this helps!
Best,
James
Hi, do you still require assistance? If not, please mark the answer as verified.
Thank you,
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 32%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
Hi,
We also have similar problem where we are trying to use a reverse proxy in front of our application. Our application is rejecting SAML response coming with the destination set to "Reserve Proxy URL" .
Is this issue still there or we have a workaround ??
Thanks !
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 41%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
Hi,
with have the same problem, is there a solution or do we need to implement a workaround?
I believe this is still not supported...
did you implement a workaround ?
Yes, but not sure how applicable it is to anyone else. We added support in our service to proxy SAML messages, re-write and re-sign them. The application will now see our proxy as the IdP instead of Azure AD. It's a big undertaking but we had to do it to support our customers on Azure AD.