Multiple SSO Application Setup with a Client with a Single Entity ID

Question

Multiple SSO Application Setup with a Client with a Single Entity ID

SecurityGeek 1

We have a client using Azure as there SSO provider. My organization currently uses Ping Federate as our SSO provider. We own multiple internal applications which are SSO enabled.

We currently have a single connection setup on our end and a enterprise application on the client which is working properly. They are using SP-initiated flow to login to our application with no issues.

We are now migrating another one of our applications from the clients previous sso provider to Azure SSO. on our end we normally just add the additional Application Adapter to the existing connection. We are now running into an issue because we only have a single Entity ID and ACS. Is there a way for them to configure the existing connection to also include this additional application with the same entity ID and ACS.

I have seen cases were organizations use Rely state or Redirect URI. I'm not sure how that would be configured. I know this is possible because we have other more mature clients which have implemented this with no issue using Azure SSO.

Application one:

EntityID: SAML2:https://auth.organziation.com:443

ACS: https://auth.organziation.com/sp/ACS.saml2

Application url: https://application1.organziation.com

Application two:

EntityID: SAML2:https://auth.organziation.com:443

ACS: https://auth.organziation.com/sp/ACS.saml2

Application url: https://application2.organziation.com

I can provide more information as it's requested.

Shweta Mathur 30,426 Reputation points Microsoft Employee Moderator

2022-05-31T12:55:59.573+00:00

Hi @SecurityGeek ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta
SecurityGeek 1 Reputation point

2022-05-31T13:52:50.59+00:00

Hey Shweta,

Unfortunately, that answer did not provide enough detail I'm still unsure where these changes need to be added within the Azure enterprise application configuration in order to get this to work.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator

2022-06-03T18:22:25.917+00:00

Hello @SecurityGeek , apologies for missing your last comment. I'm extending my answer with more information.

1 answer

Your answer

Shweta Mathur 30,426 Reputation points Microsoft Employee Moderator

2022-05-31T12:55:59.573+00:00

Hi @SecurityGeek ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta
SecurityGeek 1 Reputation point

2022-05-31T13:52:50.59+00:00

Hey Shweta,

Unfortunately, that answer did not provide enough detail I'm still unsure where these changes need to be added within the Azure enterprise application configuration in order to get this to work.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator

2022-06-03T18:22:25.917+00:00

Hello @SecurityGeek , apologies for missing your last comment. I'm extending my answer with more information.

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Moderator

Hello @SecurityGeek , as you mentioned you can set RelayState parameter during each SAML SP initiated request (Eg. <https://samltoolkit.azurewebsites.net/saml?SAMLRequest=<URL ENCODED SAML REQUEST>&RelayState=<URL ENCODED STATE VALUE> ). The exact value will be returned in the POST body (as the RelayState form value) so that your application (The SP), not Azure AD (the IdP), can redirect the user.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

SecurityGeek 1 Reputation point

2022-05-17T22:09:15.473+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

Thanks for the response so if it's a matter of just stating for each application there relay state, where are those changes made?

Does Azure SSO have the ability to hold more then one Relay state at a time? for example in the clients current configuration would just amend the second URL?

Like in the attached image under Relay State (Optional) there is already an existing URL for the first application. Do they just need to do as followed?

Relay State (Optional): https://application1.organziation.com, https://application2.organziation.com

Should Azure then be able to redirect the user correctly depending on which application was visited during the SP initiated login and after the successful authentication?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator

2022-06-03T18:24:28.917+00:00

Hello @SecurityGeek , in an SP initiated scenario, the relay state is set per/during request so that it comes back with the auth response and can be used by the SP, not Azure AD, to initiate a redirect.

Share via

Multiple SSO Application Setup with a Client with a Single Entity ID

1 answer

Your answer