Share via

Azure App Proxy - Redirecting to Internal URL

Kendal Friesen 6 Reputation points
2021-08-10T22:56:30.213+00:00

I have an app registration and enterprise app that successfully allows an internal app SSO to azure AD.

The problem is that if I turn on App Proxy, and I try to use it from external, it works until it goes to do the SSO part, and then in that process it sends back a Reply URL that redirects the external app proxy url to an internal url that of course won't work externally.

If I change the "Reply URL" to something else, it will say that the reply url doesn't exist in the app (for security purposes).

My only method of using this app, it to login with a local user, and not use the SSO.

Anyone have thoughts on how to make it work while using AAD for SSO?

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2021-08-11T19:32:45.2+00:00

    Hello @Kendal Friesen ,

    Thanks for reaching out.

    I understand that your corporate application integrated with Azure AD for SSO and works internally. Could you please confirm authentication protocol which is being used by your application (SAML or OIDC)? if its SAML then Azure AD Application Proxy has native support for SAML SSO.

    Are you able to access published application externally using IDP initiated Sign-On follow by going the https://myapplications.microsoft.com/ (MyApps) portal and accessing it from there, does it work by any chance or getting similar error ? because through IDP initiated Sign-On flow no additional configuration is required regarding the Reply URLs by this way we can isolate the issue.

    If failing only for an SP-initiated flow (whereas you directly access application URL which redirect user to identity provider for authentication) In this case make sure the back-end application specifies the correct Reply URL or Assertion Consumer Service URL for receiving the authentication token.

    Because when the application accessed directly using the external URL in the browser (SP-initiated flow). In this case it's important that the SAML request (generated by the Service Provider) includes the Assertion Consumer Service URL (AssertionConsumerServiceURL), which matches the Reply URL of the published web app in the SAML SSO configuration.

    so wondering If the Reply URL of the published app and the Azure AD Application Proxy is identical in your scenario? you must configure 2 Reply URLS.

    Example:

    https://testSAML.contoso.com/ - This is the External URL of the Azure AD Application Proxy app

    https://testSAML.contoso.com/Saml/ - This is the Reply URL (Assertion Consumer Service URL) of the published app. (the SAML response will be posted to this endpoint). This must be the default one.

    To view/ add / modify the reply URLs, go to the Azure Portal -> Azure Active Directory -> Enterprise Applications -> Locate the application

    122377-image.png

    Note

    • Use always identical internal & external URLs (see Custom domain configuration ) for the publishing, if it's possible (to avoid issues with hard coded internal links).
    • If the internal and external URLs are different and the reply URL of the published app must be specified by the internal URL, in this case you must install the browser extension on the desktop clients and you must activate the Azure AD Application Proxy redirection for the Edge mobile browser on iOS/Android.

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Kendal Friesen 6 Reputation points
    2021-08-11T20:58:48.197+00:00

    The saml is through "app registration" so I don't have the screens you have as that is SAML through the enterprise app, correct?

    If I add a 2nd reply url in the app registration, it says:
    Sign in
    Sorry, but we’re having trouble signing you in.

    AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'app'.

  3. Kendal Friesen 6 Reputation points
    2021-08-12T18:53:20.47+00:00

    I finally was able to get it to work by adding a few reply urls in app registration for the different proxy addresses I might use. I also am using the myapps chrome extension.

    On why I am using it.... I followed the instructions of the company that makes the software. Perhaps it's because you have pages to log in locally and a different page for using SSO and their design didn't work with an enterprise app?? Not sure.

    Now if I could just find out why My Apps doesn't have an app in "Conditional Access" sigh.... always something. Well there is a MyApps, but it doesn't match up to the Microsoft Apps Access Panel, that is failing conditional access.... so therefore my "My apps" chrome plugin doesn't work for some people.

    Thanks for the above responses.

  4. Tiago Santos 0 Reputation points
    2025-03-25T14:21:32.4866667+00:00

    I was having a similar issue I was able to resolve that adding the following code on my program.cs

    // Add services to the container. MS help with the returning url on Anonymous Auth with Entra ID.

    builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

    .AddMicrosoftIdentityWebApp(options =>

{

    builder.Configuration.Bind("AzureAd", options);

    options.Events ??= new OpenIdConnectEvents();

    var nextRedirectHandler = options.Events.OnRedirectToIdentityProvider;

    options.Events.OnRedirectToIdentityProvider = async (ctx) =>

    {

        ctx.ProtocolMessage.RedirectUri = "[https://xpto.msappproxy.net/yourapp/signin-oidc](https://xpto.msappproxy.net/yourapp/signin-oidc)"; 

        await nextRedirectHandler(ctx);

    };

});
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.