Working with claims-aware apps in Application Proxy
Claims-aware apps perform a redirection to the Security Token Service (STS). The STS requests credentials from the user in exchange for a token and then redirects the user to the application. There are a few ways to enable Application Proxy to work with these redirects. Use this article to configure your deployment for claims-aware apps.
Prerequisites
Make sure that the STS that the claims-aware app redirects to is available outside of your on-premises network. You can make the STS available by exposing it through a proxy or by allowing outside connections.
Publish your application
- Publish your application according to the instructions described in Publish applications with Application Proxy.
- Navigate to the application page in the portal and select Single sign-on.
- If you chose Azure Active Directory as your Preauthentication Method, select Azure AD single sign-on disabled as your Internal Authentication Method. If you chose Passthrough as your Preauthentication Method, you don't need to change anything.
Configure ADFS
You can configure ADFS for claims-aware apps in one of two ways. The first is by using custom domains. The second is with WS-Federation.
Option 1: Custom domains
If all the internal URLs for your applications are fully qualified domain names (FQDNs), then you can configure custom domains for your applications. Use the custom domains to create external URLs that are the same as the internal URLs. When your external URLs match your internal URLs, then the STS redirections work whether your users are on-premises or remote.
Option 2: WS-Federation
Open ADFS Management.
Go to Relying Party Trusts, right-click on the app you are publishing with Application Proxy, and choose Properties.
On the Endpoints tab, under Endpoint type, select WS-Federation.
Under Trusted URL, enter the URL you entered in the Application Proxy under External URL and click OK.
