Azure AD Application Proxy now supports SAML-based applications!

Howdy Folks,

Today, I'm excited to announce the general availability of SAML-based single sign-on (SSO) support for your on-premises apps using Application Proxy. Hundreds of customers have used this integration to connect their custom Line of Business apps with Azure (Azure AD) and to integrate popular on-premises applications like Tableau, Qlik, and more.

Connecting all your apps to Azure AD is a critical step in making identity your control plane. In case you missed it, we put together guidance and tools to help you discover your applications and connect them to Azure AD.

Since your on-premises applications use a variety of protocols, we expanded the number of options we support with Azure AD Application Proxy. Connecting your on-premises applications to Azure AD Application Proxy benefits from all the work we've done in Azure AD to secure your applications with Identity Protection, Multi-Factor (MFA), and Conditional Access.

One of the biggest requests we received over the past several months is to support applications that use SAML to authenticate against Azure AD that are running on-premises or in your private .

Read on to learn how it works and get started right away!

How it works

Using SAML SSO with Azure AD Application Proxy works in two main parts: 

  1. When users visit the external URL published through Application Proxy to access their applications, users are authenticated through Azure AD and the access is analyzed against the security policies you've configured.
  2. Next Application Proxy takes care of caching the SAML request and response generated to the on-premises application so it can complete the SAML flow. SAML based SSO support for your on premises apps 1.png

After configuring SAML SSO with Application Proxy you can take advantage of modern Azure AD security and governance features such as MFA, Conditional Access, Identity Protection, Delegated Application Access, Access Reviews, and many more. Users also have a seamless remote access and SSO experience on any device, anywhere.

If you're new to Application Proxy and want to learn more about its secure remote access benefits and how it can help you extend Azure AD to your on-premises environment, read our whitepaper. You'll learn about build a remote access strategy based on identity and bring the power of Azure AD to your on-premises applications.

How to get started

You can get started today by visiting the Azure AD portal and create a new application or update an existing Application Proxy app to use SAML for SSO. First, make sure you have Application Proxy enabled and a connector installed in your on-premises environment before setting up your application. To learn more about how to enable Application Proxy see our tutorial.

Starting with a new application

If you're starting with a new application, we recommend that you:

  1. First create a new non-gallery Then configure SAML-based SSO to work within your corporate . This simplifies setup by validating your application is working correctly with SAML before enabling Application Proxy for remote access. For full details on how to setup SAML-based SSO follow our documentation. SAML based SSO support for your on premises apps 2.png
  2. Next configure Application Proxy so users can access the application outside the corporate network. In the Application Proxy configuration, provide the Internal URL of the application, which in this case is: An External URL is created that your users can use to access the application remotely. In the example below we use the default domain provided, You can also use a custom domain for a more robust and user friendly experience. SAML-based SSO support for your on-premises apps 3.png
  3. Finally complete the SAML configuration by updating the Reply URL so it's accessible via Application Proxy. For example, if the original Reply URLwas, you'll need to update the Reply URL to, which is a sub path of the External URL from the Application Proxy configuration. SAML-based SSO support for your on-premises apps 4.png

Updating an existing application

If you're updating an existing application already published through Application Proxy, follow the steps to configure SAML-based SSO outlined in SAML-based single sign-on. Next, make sure that your Reply URL configuration corresponds to the Application Proxy External URL or is a sub path of it.

For a full step-by-step guide and on how to configure SAML-based SSO for your on-premises applications using Azure AD Application Proxy, see our complete documentation.

Tell us what you think

As always, we'd love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.

Best regards, 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.