Using Azure AD Domain Hint for SAML Apps


(Pratyusha Vemuri) #1

Using Azure AD Domain Hint for SAML Apps : An Azure AD How-To Guide
Desired Outcome
For SP initiated SAML Single Sign On the application should not show the Azure AD Login page for user’s home realm discovery. It should directly be redirected to the ADFS page for authentication.
If user is using the domain joined computer with organization user id and password, then after hitting the SP Initiated SSO URL they should be directly logged into the application. They should be getting the true SSO experience.

Pre-requisites
Customer is using hybrid identity infrastructure, that means Azure AD with ADFS and federation setup.
Application should support SAML Single Sign On with SP Initiated mode.
Application should be configured in Azure AD for Single Sign On using gallery app or BYOA app

Steps to implement
In the application Single Sign On configuration, configure the query string parameter along with the Azure AD Login page. The URL should look like this.
Example:
https://login.windows.net/4f7437a6-3d76-4122-a907-624d965ba139/saml2?whr=contoso.com
*You will get the SAML Single Sign On URL from Azure AD application configuration wizard. Then append the query string parameter to it and then configure it in the SaaS application.
45%20PM

Consideration
1.Application is correctly configured for Single Sign with Azure AD.
2.Application has ability to set the querystring parameter in the Login URL.
3.All the users who are using the application are able to authenticate at ADFS server.
4.If the user is accessing the application from outside of the network, then ADFS server should be public facing and reachable for authentication
5.No external or guest users are using this application for Single Sign On
6.If the application only supports the Federation Metadata import, then you might have to add the query string parameter in the Federation Metadata XML file first and then import it