How to add a multi-tenant SAML2 app using admin consent url

Jean-François Bélisle 0

Hi,

I try to integrate a multi-tenant application in my own tenant using an admin consent. The application is based on SAML2 and NOT OIDC. By default, when I add it using admin consent, it creates the app with OIDC by default. Once the app is created, I don't see a way to change the authentication type from OIDC to SAML2.

Kind of stuck on OIDC, so app login doesn't work....

Any ideas ?

Thank you

1 answer

Goutam Pratti 495 Reputation points Microsoft Vendor

2024-10-14T20:16:10.2166667+00:00

Hi @Jean-François Bélisle ,

Thank you for reaching out to Microsoft Q&A.

When integrating a multi-tenant application in Microsoft Entra ID using admin consent, the platform defaults to OIDC (OpenID Connect) as the authentication method.

Unfortunately, Microsoft Entra ID does not allow you to switch the authentication protocol from OIDC to SAML2 after registration instead you can remove the OIDC Configuration but cannot change to SAML2. However, you can configure the app for SAML2 Single Sign-On (SSO) by manually creating it as a non-gallery application. Once created, you can set up the necessary SAML2 configurations to enable SAML-based login.

For further guidance on configuring SAML SSO, refer to Microsoft’s documentation.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Regards,
Goutam Pratti.
Please sign in to rate this answer.
Jean-François Bélisle 0 Reputation points

2024-10-15T12:24:32.96+00:00

THank you for your response.

But if I create it as a non gallery app from scratch, I won't be able to link it to the multi tenant app regsitration from the other tenant. So basically there is no way to have a multitenant SAML2 application ?

Goutam Pratti 495 Reputation points Microsoft Vendor

2024-10-16T19:45:31.38+00:00

Hello @Jean-François Bélisle ,

Thank you for reaching out to Microsoft Q&A.

If you create a non-gallery application from scratch, it will be set up as a single-tenant application by default. To make it a multi-tenant SAML2 application, you need to change the supported account type from single tenant to multi-tenant, the option is available in the App Registration.

Here are the steps to follow:

Once you enable the option shown in the picture, the application will support SAML2 for multi-tenant use.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer for the above answer provided.

Regards,
Goutam

Jean-François Bélisle 0 Reputation points

2024-10-16T19:54:43.2133333+00:00

Hi, thank you.

Actually it doesn't help. I don't want a seperate app registration. I want an enterprise app link the the app registration from to other tenant, which is already defined as a SAML2 multitenant application.

Goutam Pratti 495 Reputation points Microsoft Vendor

2024-10-18T20:35:33.5566667+00:00

Hi @Jean-François Bélisle

Thank you for reaching out to Microsoft Q&A.

Let me explain you with the scenario for better understanding:

Tenant A (Home Tenant) is where the application is registered as multi-tenant with the SAML2 protocol. This registration acts as the master definition of the app, containing configurations like API permissions, authentication settings, etc. App registrations are only visible in the tenant where they were originally created—Tenant A in this case.

To allow users from Tenant B to use the multi-tenant application, an admin or a user with appropriate permissions must consent to the application. If the app requires elevated permissions, an admin from Tenant B will need to provide consent by clicking "Accept" on the consent screen.

Once consent is granted, a Service Principal for the multi-tenant app is automatically created in Tenant B. The app will then appear in the Enterprise Applications section of Tenant B, confirming that the Service Principal was successfully established.

It’s important to note that you cannot link the Enterprise Application to the App Registration blade in another tenant (Tenant B). This is because App Registrations are global configurations and only visible in the original tenant where the application was registered (Tenant A). Although users from other tenants (like Tenant B) may interact with the app via the Service Principal, the app registration itself remains confined to Tenant A.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was the above answer helpful. And, if you have any further query do let us know.

Best regards,

Goutam Pratti

Goutam Pratti 495 Reputation points Microsoft Vendor

2024-10-21T19:21:32.2766667+00:00

Hi @Jean-François Bélisle,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Jean-François Bélisle 0 Reputation points

2024-10-21T19:48:33.5666667+00:00

Hi @Goutam Pratti

I can confirm that we have the same understanding of the situation. What you described is exactly what I've done and understand, using admin consent. I also understand the concepts and differences related to App Regsitration vs Enterprise App.

But still no clear answer concerning setting up SAML2 authentication on the new enterprise app (service principal) of tenant B, which is linked to the tenant A app registration.

I also tried many things with Powershell, with no success. I've change the "PreferredSingleSignOnMode" to saml, but even after that the UI is stuck in OIDC

Goutam Pratti 495 Reputation points Microsoft Vendor

2024-10-25T11:37:12.92+00:00

Hi @Jean-François Bélisle,

Sorry for the delay in response :)

The reason why you're unable to change the authentication type from OIDC to SAML in your other tenant is because the authentication type is determined by the application registration in the Azure portal. When you registered the multi-tenant organization app with SAML SSO in your home tenant, it was created with SAML authentication. However, when you added the app to your other tenant using admin consent, it was created with OIDC authentication by default because that is the default authentication type for new app registrations in Azure.

This means that if you want to use SAML SSO for the multi-tenant organization app in your other tenant, you will need to register a new instance of the application with SAML authentication in that tenant.

Hope this helps. Do let us know if you any further queries.

Regards,
Goutam Pratti

Goutam Pratti 495 Reputation points Microsoft Vendor

2024-10-28T17:17:46.4233333+00:00

Hello @Jean-François Bélisle,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Jean-François Bélisle 0 Reputation points

2024-10-28T17:24:31.5466667+00:00

Sadly, there's no way around, it's a limitation you have. I will have to find another workaround.

Thank you
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to add a multi-tenant SAML2 app using admin consent url

1 answer

Your answer