How to validate SAML at http://test.com/test

Question

The address of the local web server is http.
Azure AD Saml response URL can only be set to https.
Can I verify with http? App registration? Do I need to change hosts?
Please tell me the procedure.

Answer 1

Apologies for the delayed response.

Enterprise application blade is where you can find most pre-defined SaaS applications as well as custom applications that can be used for SSO purposes, and App registration blade is where you can create applications that support OAUTH, OIDC, including SAML protocol based SSO. As a result, the SAML, OAUTH, and OpenID Connect endpoints for both Enterprise App registration apps would stay the same, as illustrated below. Azure AD Endpoints can be found from https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps , and you can also verify this from the Enterprise application blade, which has the same URL as shown below.

Azure AD endpoints:

SAML-P sign-on endpoint: https://login.microsoftonline.com/{YourName/TenantID}/saml2
SAML-P sign-out endpoint: https://login.microsoftonline.com/{YourName/TenantID}/saml2
OpenID Connect metadata document: https://login.microsoftonline.com/{YourName/TenantID}/v2.0/.well-known/openid-configuration
OAuth 2.0 token endpoint (v1) : https://login.microsoftonline.com/{YourName/TenantID}/oauth2/token
OAuth 2.0 authorization endpoint (v1) : https://login.microsoftonline.com/{YourName/TenantID}/oauth2/authorize
OAuth 2.0 token endpoint (v2) : https://login.microsoftonline.com/{YourName/TenantID}/oauth2/v2.0/token
OAuth 2.0 authorization endpoint (v2) : https://login.microsoftonline.com/{YourName/TenantID}/oauth2/v2.0/authorize

App Registration page:

Enterprise Application page:

To learn more about App Registration vs Enterprise Applications , refer: https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals. Hope his helps.

Answer 2

Hello @tarou chabi ,

Thanks for reaching out.

I understand that you have a local web server which has configured with http schemes for web sites so you would like to check feasible option this case when enabling SSO with Azure AD.

The Azure Active Directory (Azure AD) application model specifies the restrictions to redirect URIs as it must begin with the scheme https because the authorization server (Azure AD) sends the token to the redirect URI, so it's important you register the correct location as part of the app registration process.

There are some exceptions for localhost redirect URIs as you can use http scheme, for an example,: http://localhost and similarly you could also IP address or custom domain such as http://127.0.0.1 or http://test.com/test.

So to add a redirect URI that uses the http scheme with the 127.0.0.1 loopback address or custom domain, you must currently modify the replyUrlsWithType attribute in the application manifest from App registration blade instead from Azure AD portal enterprise applications SSO page.

Note: http schemes should be used only during active local application development and testing hence would request you to work with your app team to use https based schemes for your web sites which is more secured than http scheme

To learn more about reply url, refer to this article.

Hope this helps.

Answer 3

Hello, to clarifay, is possible to use a custom domain to use unsecured http protocol?

You say can use a excepcional domain has "test.com" but I'm trying and it doesn't work for us, it only allows the localhost rule,

We want to do a test in our local network by adding a custom domain, eg: wms.test / test.com but it forces us to use https, the website are in local development it is a bit problematic to add httpS,

Thanks alot