Share via

Single Sign On with my application and Azure as Identity Provider at the same time

Iqbal 0 Reputation points
2024-12-06T06:06:30.2866667+00:00

So I have an app (let's call it 'tx') that has the ability to SSO as Identity Provider and Service Provider.

  1. In Azure, I've configured my tx as Enterprise Application, set the Single Sign On with SAML with tx as the Service Provider.
  2. And also, I've configured via MsolService to have my tx as an Identity Provider whenever I want to login to Office365. And have my domain changed to Federated.

If I want to login to office365, I will be redirected to tx, and then back to Office365 (as point 2 intended). But if I want to login to my tx, and use Azure as its Identity Provider, then after I enter my email in Azure login page (with the Federated domain), I will be redirected back to my tx login page (which should not because my tx is the Service Provider)

My question is, can I configure somewhere in the Azure to have a different approach when I've configured Azure and my tx as Service and Identity Provider?

Thanks!

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 20,911 Reputation points Microsoft Employee Moderator
    2024-12-09T14:57:55.0066667+00:00

    @Iqbal

    Thank you for posting this in Microsoft Q&A.

    As I understand you want to set up your organization in such a way that when users try to login to your application which is configured as service provider, users should be authenticated via Azure as an IDP.

    And also, you have configured the same application as an identity provider by federating a domain. Now when users try to login to Office 365 apps, they get redirected to your IDP and authentication is success.

    But when users try to login to your application that you have configured, they are redirected to your IDP post entering the email ID.

    This is by design behavior. When you set up federation with any of identity providers, you are actually federating a domain.

    Now whenever, user try to access any of the Azure services or access any application in Azure, they will be asked to provide there UPN/email ID. When user enters there UPN/email ID with federated domain as email suffix, by default they will be redirected to federated identity provider which is configured for that domain.

    There is no option available for users with same domain suffix to use different identity providers for authentication within Azure while accessing different applications.

    For example, in your case you have federated domain "abc.com" with "tx" identity provider. Now when user with email as ******@abc.com tries to access office 365 applications in Azure, they will be redirected to tx identity provider for authentication. And when they try to access any other enterprise application with same email ******@abc.com, they will still be redirected to tx identity provider for authentication.

    Once domain is federated with tx identity provider, doesn't matter whatever application user tries to access with email suffix as abc.com, they will be routed to tx identity provider for authentication.

    Let me know if you have any further questions on it.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.