question

tsugumigoto-5281 avatar image
0 Votes"
tsugumigoto-5281 asked amanpreetsingh-msft commented

Is it possible to use the same IdP for multiple domains?

The following URL is used to verify the SAML federation settings.
https://docs.microsoft.com/ja-jp/azure/active-directory/hybrid/how-to-connect-fed-saml-idp

We have a requirement to use multiple domains in one organization. Does anyone know how to configure the settings to use the same IdP for multiple domains (e.g. example.ac.jp and example.jp)?

The domain is created as a custom domain in AzureAD.

Currently, SAML integration is working well for a single domain, but However, when I tried to set the same IssueURI for different domains with the Set-MsolDomainAuthentication command, I got an error.

IDP is Keycloak.

azure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @tsugumigoto-5281 • Thank you for reaching out.

I understand that you want to federate the same SAML IDP to your Azure AD tenant with support for multiple domains.

If you are using ADFS as the IDP, you can use the below cmdlets:

  1. Convert-MsolDomainToFederated -DomainName example.jp -supportMultipleDomain

  2. Convert-MsolDomainToFederated -DomainName example.ac.jp -supportMultipleDomain

The -supportMultipleDomain switch creates the below claim rule in ADFS to support mulitple domains with the same IssuerID:

 c:[Type == "http://schemas.xmlsoap.org/claims/UPN](http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "https://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, .+@(?<domain>.+), http://${domain}/adfs/services/trust/));

If you are using a 3rd party SAML IDP and not ADFS, you are required to use Set-MsolDomainAuthentication cmdlet with doesn't include the -supportMultipleDomain switch. So, in that case, you need to check with the IDP vender if something similar to the above ADFS claim rule can be created manually or another IssuerID needs to be created.

Please refer to This Link, which is about the same requirement in 3rd party IDP (shibboleth).


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your answer.

I would like to use Keycloak as IDP.
Do you know of any case studies?

0 Votes 0 ·

@tsugumigoto-5281 • Unfortunately, I couldn't find any such case studies for Keycloak. I would suggest you check with the Keycloak vendor as they might have guidelines/instructions for this scenario that are not published publicly.

0 Votes 0 ·