none
AAD App Proxy with Claims Aware Apps

    Question

  • I have an internal app that's using ADFS (SAML) on Windows Server 2012 R2 to handle SSO.  The app server is currently only available internally, but I'd like to try to expose it externally via Azure AD App Proxy.  I read the below article and it seems pretty light on details and I haven't seen too much other information regarding proxying ADFS-enabled applications through AAD:

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-claims-aware-apps

    My relying party currently utilizes the SAML protocol and not WS-Fed protocol for sign-in.  After adding the WS-Fed endpoint to my RP configuration for the app, it continues to redirect to the SAML Assertion Consumer Endpoint, which still targets an internal non-proxied URL.  Am I missing something here?  Does the relying party have to be configured only to support WS-Fed and not SAML as well?  Do I have to reconfigure the app to use WS-Fed instead of SAML?

    Monday, May 01, 2017 2:33 PM

Answers

  • You can continue using SAML without changing the application if you are able to use custom domains to ensure that your internal and external URLs for the application are the same. If the two URLs cannot be the same, unfortunately the application would need to be reconfigured for WS-Fed instead of SAML (without custom domains this flow will only work if it is entirely using WS-Fed). The App Proxy story may break if the app continues to look for SAML since some of the redirects will not work correctly in that case.
    • Marked as answer by rdoram Wednesday, May 10, 2017 1:41 PM
    Wednesday, May 10, 2017 12:43 PM
    Moderator

All replies

  • You can continue using SAML without changing the application if you are able to use custom domains to ensure that your internal and external URLs for the application are the same. If the two URLs cannot be the same, unfortunately the application would need to be reconfigured for WS-Fed instead of SAML (without custom domains this flow will only work if it is entirely using WS-Fed). The App Proxy story may break if the app continues to look for SAML since some of the redirects will not work correctly in that case.
    • Marked as answer by rdoram Wednesday, May 10, 2017 1:41 PM
    Wednesday, May 10, 2017 12:43 PM
    Moderator
  • Thanks for the reply.  It would be helpful to elaborate on this in the documentation for claims-aware apps that I initially referenced, as the current version is somewhat vague.  That is kind of what I was leaning towards anyways, so thanks for confirming.
    Wednesday, May 10, 2017 1:41 PM