External IdP SAML Authentication redirect to ADFS

D-3327 1 Reputation point
2022-08-16T16:49:52.777+00:00

I have successfully set up an External SAML/WS-Fed identity provider to use saml. The login urls point to login.clientx.com, but when guest clients try authenticate (say into apps.powerbi.com) they are redirected to an adfs.client.com url. I'm not sure if this is on our side or the client side. Is there a way on our side to force the login to login.clientx.com? I was under the impression that once the external identity was set up with the correct urls, metadata and cert, that it would work but it seems I'm missing something?
?
Does this mean the client does have some sort of Azure presence that is redirecting the associated url with login ie. (@clientx.com)? Is there a way to force it to use the login.clientx.com url instead of redirecting?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,299 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sandeep G-MSFT 14,071 Reputation points Microsoft Employee
    2022-08-22T14:42:07.927+00:00

    @D-3327

    Thank you for posting your question in Microsoft Q&A

    Usually, for all guest user's authentication always happens in user's home tenant. Say for example, if user belongs to contoso.com domain which is verified in another tenant, and also let's say contoso.com domain is federated with ADFS.

    If user@Company portal .com tries to access any application which is configured in Fabrikam.com tenant, then authentication for user@Company portal .com will happen in contoso.com tenant only. And since contoso.com domain is federated with ADFS, Azure AD will send the request to ADFS for authentication.
    Post authentication token will be given back to tenant where application is configured.

    In your scenario, this redirection is happening to ADFS because guest user is configured to authenticate with ADFS. There is no other workaround for this and this is by design.

    Let me know if you have any further questions on this.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments