Azure AD SAML SSO multiple Identifiers and ReplyURLs support

I have seen some scenarios where the administrators wanted the single Azure AD Application to support multiple Identifiers (Issuers/Entity IDs) and Reply URLs.

Azure AD Enterprise Applications Single sign-on blade allows administrators to achieve this goal.

As you can see on the screenshot, you are able to add multiple Identifiers and Reply URLs in the Basic SAML Configuration for the application.

AAD multiple Identifier ReplyURL

For the application to use multiple values in Identifies and Reply URLs settings, the sign in should follow the SP initiated flow.

To understand better the difference between SP and IdP initiated sign in, read this thread.

Important thing is that the application should specify the “AssertionConsumerServiceUrl” in SAML Request sent to Azure AD along with one of the Identifiers (Issuer value) configured in SAML SSO settings for the app. In case the “AssertionConsumerServiceUrl” parameter is omitted from the request, the SAML Response going to be sent to the first Reply URL.

You might also noticed the Default check box next to Identifier and Reply URL settings. This setting is useful for the IdP initiated flow. The default Identifier and ReplyURL going to be returned to the app in case of IdP initiated sign in flow.

AAD default ReplyURL IdP

In case your application do not support sending different Identifiers and Reply URLs in the request to Azure AD, you have to set up separate Application for each new instance of the SP like mentioned here for Cisco AnyConnect Azure AD SSO set up documentation.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s