none
Cannot Host Multiple Apps with PingAccess for Azure AD? RRS feed

  • Question

  • I am trying to use header-based authentication for single sign-on with Azure AD Application Proxy and PingAccess. I am following the following documentation here.

    I want to host two applications behind the same PingAccess server. Diagram here: https://i.imgur.com/ZhILBWq.png

    Microsoft documentation state the following:

    Internal URL: Normally you provide the URL that takes you to the app’s sign-in page when you’re on the corporate network. For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. Use this format: https://<host name of your PingAccess server>:<port>. The port is 3000 by default, but you can configure it in PingAccess.

    When hosting two applications behind the same PingAccess instance, the Azure AD Application Proxy connector needs to treat the host name of the PingAccess server as the Internal URL for both applications. However, this does not seem to be possible, as trying to configure the same Internal URL on two applications in Azure AD leads to the error "Internal url entered is already being used by another application". Screenshot here.

    Simply entering two different DNS records for the same PingAccess server does not seem to work, as:

    • The application configured with the Internal URL that matches the hostname of the PingAccess server works, but
    • The application configured with an alternate Internal URL, that still points to the PingAccess server in DNS, but does not match the hostname of the PingAccess server, does not work, producing the error "Forbidden: This corporate app cannot be accessed. You are not authorized to access this application". Screenshot here.

    Note that the configuration of Users and Groups, and the configuration of whether user assignment is required to access an application, is both identical between both apps.

    There must be a way to host multiple applications with Azure AD Application Proxy and PingAccess. How can this be done?


    Thursday, November 7, 2019 11:31 PM

All replies

  • I'm looking into this on my end but I think it may be a better question for the PingAccess team since it's less related to Azure AD itself.

    https://support.pingidentity.com/s/community-home


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Friday, November 8, 2019 11:45 PM
    Moderator
  • Hi Marilee, thank you so much for your response. I’m inclined to disagree: this does look like an Azure AD issue based on the fact that the “Forbidden” error message is coming from Azure AD (and not from PingAccess). Also, the obvious documentation gap in how to host multiple applications with PingAccess even though Azure AD only allows unique internal URLs per app is also an Azure AD issue.
    Monday, November 11, 2019 3:15 PM