Support for more apps with Azure AD Application Proxy

Microsoft

Mar 12, 2019

Howdy folks,

Today, I have the privilege to tell you about the public preview of two new features for Azure AD Application Proxy that make it even easier to provide secure remote access to on-premises applications:

Support for SAML single sign-on (SSO)
Support for finer grained management of application cookies

SAML SSO support

The public preview for SAML SSO support with Application Proxy is now available.

Whether you already have an on-premises SAML application that's ready to publish or are looking to modernize your application’s authentication protocol, you now have an easy way to provide external access and SSO to your application.

Setting up SAML SSO with your on-premises application uses the same standard pattern as setting up SAML SSO for your cloud applications. The application must be using SAML authentication with Azure AD as the identity provider. You can also use this with the recently released preview for SAML token encryption. To learn more about configuring SAML SSO with Application Proxy see our documentation.

Application cookie settings

To help meet your security and compliance requirements, the following settings for Application Proxy access and session cookies are now available:

Use HTTP-Only Cookie—Protects cookies against actions like copying or modifying the cookies from client-side scripting.
Use Secure Cookie—Ensures cookies are only transmitted over TLS secure channels to prevent cookies from being observed by unauthorized parties.
Use Persistent Cookie—Sets the access cookie to not expire when the web browser is closed and persists for the lifetime of the access token.

For full details and recommendations about these cookie settings, see Cookie settings for accessing on-premises applications in Azure AD.

As always, we'd love to receive any suggestions or feedback you have, so please comment below or on the Azure AD feedback forum.

Best Regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

Updated Jul 24, 2020

Version 12.0

Product Announcements

Alex Simons (AZURE)

Microsoft

Joined May 01, 2017

View Profile

Microsoft Entra Blog

Stay informed on how to secure access for workforce, customer, and workload identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions.

Ramesh_T
Copper Contributor
Apr 21, 2023
Hello All,

This is a generic question.
We have two Azure AD application Proxy connector used for accessing Intranet web apps.

Is there way to Check in the app proxy server which connector the traffic is going.
jasminebetthauser
Microsoft
Apr 15, 2019
Hi hodachalliv,

We would be happy to help you here. We just need a little more information. Can email us at aadapfeedback@microsoft.com what the proxy URL is?

Thanks,

Jasmine
hodachalliv
Copper Contributor
Apr 10, 2019
I deleted the application that was generated as part of the Add your own on-premises application(app proxy). The proxy url is still functional. How do I delete it completely. I see links topowershell command https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadapplicationproxyapplication?view=azureadps-2.0
As the app is deleted I no longer have the objectid or applicationid.
jasminebetthauser
Microsoft
Apr 08, 2019
Hi Kalyan,

You can enable single sign-on to your applications using Integrated Windows Authentication (IWA) by giving Application Proxy connectors permission in Active Directory to impersonate users. Kerberos constrained delegation is used so that the connectors have the permission to send and receive tokens on their behalf. You can find out more details in our documentation here.

Thanks!

Jasmine
kalyanms1
Copper Contributor
Apr 06, 2019
Hi Alex,

Thanks for the information.

Can application proxy be used to impersonate AZURE AD user to Windows User ?
Example: User logs into app service hosted in AZURE using AZURE AD authentication credentials . User then try to access an SSRS report hosted in AZURE VM.
is sso and impersonation possible? do we need to install appservice connector on VM in azure?

i appreciate your response.

thanks
regards
Kalyan
jasminebetthauser
Microsoft
Mar 18, 2019
Hi Cyphel,

The persistent cookie flag only ensures that the session cookies don't expire when the browser session is closed. If you are looking for more information around RDS scenarios see our documentation here.
Cyphel
Copper Contributor
Mar 16, 2019
Will the persistent cookie allow for rdcb to be proxied via app proxy?

Blog Post

Support for more apps with Azure AD Application Proxy

SAML SSO support

Application cookie settings

Share