Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Azure AD Application Proxy support for SAML based Apps is GA!
Published Jul 23 2019 09:00 AM 31.6K Views

Howdy Folks,

 

Today, I'm excited to announce the general availability of SAML-based single sign-on (SSO) support for your on-premises apps using Application Proxy. Hundreds of customers have used this integration to connect their custom Line of Business apps with Azure Active Directory (Azure AD) and to integrate popular on-premises applications like Tableau, Qlik, and more.

Connecting all your apps to Azure AD is a critical step in making identity your control plane. In case you missed it, we put together guidance and tools to help you discover your applications and connect them to Azure AD.

 

Since your on-premises applications use a variety of authentication protocols, we expanded the number of authentication options we support with Azure AD Application Proxy. Connecting your on-premises applications to Azure AD Application Proxy benefits from all the work we’ve done in Azure AD to secure your applications with Identity Protection, Multi-Factor Authentication (MFA), and Conditional Access.

 

One of the biggest requests we received over the past several months is to support applications that use SAML to authenticate against Azure AD that are running on-premises or in your private network.

Read on to learn how it works and how to get started right away!

 

How it works

 

Using SAML SSO with Azure AD Application Proxy works in two main parts: 

  1. When users visit the external URL published through Application Proxy to access their applications, users are authenticated through Azure AD and the access is analyzed against the security policies you’ve configured.
  2. Next Application Proxy takes care of caching the SAML request and response generated to the on-premises application so it can complete the SAML flow. SAML based SSO support for your on premises apps 1.png

After configuring SAML SSO with Application Proxy you can take advantage of modern Azure AD security and governance features such as MFA, Conditional Access, Identity Protection, Delegated Application Access, Access Reviews, and many more. Users also have a seamless remote access and SSO experience on any device, anywhere.

 

If you’re new to Application Proxy and want to learn more about its secure remote access benefits and how it can help you extend Azure AD to your on-premises environment, read our whitepaper. You'll learn about how to build a remote access strategy based on identity and how to bring the power of Azure AD to your on-premises applications.

 

How to get started

 

You can get started today by visiting the Azure AD portal and create a new application or update an existing Application Proxy app to use SAML for SSO. First, make sure you have Application Proxy enabled and a connector installed in your on-premises environment before setting up your application. To learn more about how to enable Application Proxy see our tutorial.

 

Starting with a new application

If you’re starting with a new application, we recommend that you:

  1. First create a new non-gallery Then configure SAML-based SSO to work within your corporate network. This simplifies setup by validating your application is working correctly with SAML before enabling Application Proxy for remote access. For full details on how to setup SAML-based SSO follow our documentation. SAML based SSO support for your on premises apps 2.png

     

  2. Next configure Application Proxy so users can access the application outside the corporate network. In the Application Proxy configuration, provide the Internal URL of the application, which in this case is: https://contosotravel.com. An External URL is created that your users can use to access the application remotely. In the example below we use the default domain provided, https://contosotravel-f128.msappproxy.net. You can also use a custom domain for a more robust and user friendly experience. SAML-based SSO support for your on-premises apps 3.png

     

  3. Finally complete the SAML configuration by updating the Reply URL so it’s accessible via Application Proxy. For example, if the original Reply URLwas https://contosotravel.com/acs, you'll need to update the Reply URL to https://contosotravel-f128.msappproxy.net/acs, which is a sub path of the External URL from the Application Proxy configuration. SAML-based SSO support for your on-premises apps 4.png

     

Updating an existing application

If you’re updating an existing application already published through Application Proxy, follow the steps to configure SAML-based SSO outlined in SAML-based single sign-on. Next, make sure that your Reply URL configuration corresponds to the Application Proxy External URL or is a sub path of it.

 

For a full step-by-step guide and best practices on how to configure SAML-based SSO for your on-premises applications using Azure AD Application Proxy, see our complete documentation.

 

Tell us what you think

As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Best regards, 

 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

8 Comments
Silver Contributor

Make up your mind on the name of this post :) It pops on RSS feed every time you change it..

Copper Contributor
A common challenge faced by many enterprises users, specifically sales or CXO. The basic understanding people have, if the application is SAML enabled and we are using cloud IAM/SSO solution we are good. But no, on-prem SAML enabled applications were not accessible outside. With AppProxy enabled with SAML SSO, a really good feature.
Copper Contributor

We are trying to test this new feature with a SAP Netweaver system as 'on premise application'. If someone has tried this yet and made it work, potentially as part of the collaboration between Microsoft and SAP, that would be useful to share :smile:

Copper Contributor

Trying to get SQL Server Reporting Services (SSRS) to work with SAML authentication. Any ideas?

Brass Contributor

Does Application Proxy only work with Web Applications?  What if we want to use it as a VPN for Native Mobile Applications that access On-Prem resources?  Thanks.

If the mobile app uses Azure AD for authentication and it's calling a set of on-premises web services, yes, App Proxy can be used. That said, vast majority of customers use it for browser apps, not mobile clients.

 

Regards,

Alex

Brass Contributor

Yeah we plan to use it for browser apps as well, but we have a handful of custom application that we would like to user App Proxy for if possible.  

Steel Contributor

@SKS11_DART I tried this article for configuring SSRS to use SAML but I'm pretty sure I gave up. The AAD part works great, not sure why SQL doesn't build-in options like this for web access like Reporting Services. 

Version history
Last update:
‎Aug 19 2021 04:21 PM
Updated by: