Today, I'm excited to announce the general availability of SAML-based single sign-on (SSO) support for your on-premises apps using Application Proxy. Hundreds of customers have used this integration to connect their custom Line of Business apps with Azure Active Directory (Azure AD) and to integrate popular on-premises applications like Tableau, Qlik, and more.
Connecting all your apps to Azure AD is a critical step in making identity your control plane. In case you missed it, we put together guidance and tools to help you discover your applications and connect them to Azure AD.
Since your on-premises applications use a variety of authentication protocols, we expanded the number of authentication options we support with Azure AD Application Proxy. Connecting your on-premises applications to Azure AD Application Proxy benefits from all the work we've done in Azure AD to secure your applications with Identity Protection, Multi-Factor Authentication (MFA), and Conditional Access.
One of the biggest requests we received over the past several months is to support applications that use SAML to authenticate against Azure AD that are running on-premises or in your private network.
Read on to learn how it works and how to get started right away!
How it works
Using SAML SSO with Azure AD Application Proxy works in two main parts:
- When users visit the external URL published through Application Proxy to access their applications, users are authenticated through Azure AD and the access is analyzed against the security policies you've configured.
- Next Application Proxy takes care of caching the SAML request and response generated to the on-premises application so it can complete the SAML flow.
After configuring SAML SSO with Application Proxy you can take advantage of modern Azure AD security and governance features such as MFA, Conditional Access, Identity Protection, Delegated Application Access, Access Reviews, and many more. Users also have a seamless remote access and SSO experience on any device, anywhere.
If you're new to Application Proxy and want to learn more about its secure remote access benefits and how it can help you extend Azure AD to your on-premises environment, read our whitepaper. You'll learn about how to build a remote access strategy based on identity and how to bring the power of Azure AD to your on-premises applications.
How to get started
You can get started today by visiting the Azure AD portal and create a new application or update an existing Application Proxy app to use SAML for SSO. First, make sure you have Application Proxy enabled and a connector installed in your on-premises environment before setting up your application. To learn more about how to enable Application Proxy see our tutorial.
Starting with a new application
If you're starting with a new application, we recommend that you:
- First create a new non-gallery Then configure SAML-based SSO to work within your corporate network. This simplifies setup by validating your application is working correctly with SAML before enabling Application Proxy for remote access. For full details on how to setup SAML-based SSO follow our documentation.
- Next configure Application Proxy so users can access the application outside the corporate network. In the Application Proxy configuration, provide the Internal URL of the application, which in this case is: https://contosotravel.com. An External URL is created that your users can use to access the application remotely. In the example below we use the default domain provided, https://contosotravel-f128.msappproxy.net. You can also use a custom domain for a more robust and user friendly experience.
- Finally complete the SAML configuration by updating the Reply URL so it's accessible via Application Proxy. For example, if the original Reply URLwas https://contosotravel.com/acs, you'll need to update the Reply URL to https://contosotravel-f128.msappproxy.net/acs, which is a sub path of the External URL from the Application Proxy configuration.
Updating an existing application
If you're updating an existing application already published through Application Proxy, follow the steps to configure SAML-based SSO outlined in SAML-based single sign-on. Next, make sure that your Reply URL configuration corresponds to the Application Proxy External URL or is a sub path of it.
Tell us what you think
As always, we'd love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.
Alex Simons (@Alex_A_Simons )
Corporate VP of Program Management
Microsoft Identity Division