0 votes

Hi

I'm trying to configure Azure SSO to work through an app proxy. The settings seem to be correct and the SSO is working properly when a user in on premise, but when off site, the login seems to be redirected to an internal server which obviously causes an issue.

e.g. our internal URL is https://adaxes-server/adaxes The Azure app proxy URL is https://adaxes-domain.msappproxy.net/adaxes

When connecting to the azure URL from outside of our network, the login seems to go fine, but then I get an error that the URL https://adaxes-server/adaxes/saml2 cannot be found.

I have tried with the App proxy configured to translate and not translate the URLs in the application body, but this makes no difference.

Is this something which can be resolved, or would it be something for a future release?

Many thanks

Matt

by (2.0k points)
0

Hello Matt,

Sorry for the confusion, but we are not sure what exactly the issue is. Please, describe the steps you take to reproduce the issue in all the possible details with lice examples and screenshots. If there is something you cannot post here, please, send the details to support@adaxes.com.

0

Hi guys

Thanks guys for the email support, I thought I would update this having found a solution.

It seems that the SSO via app proxy doesn't work if you configure your External URL to use a custom domain. I guess this must be something to do with the DNS translation when going from the custom domain to the msappproxy.net URL's. But, if you leave the domain as the default msappproxy.net, SSO should work fine.

image.png

0

Actually, maybe I spoke too soon! The SSO works when testing via the app proxy SSO configuration, but when trying to load the site in another browser or having signed out, I am back to getting an error. image.png

The first URL is my internal domain and isn't configured anywhere in the Adaxes sign in settings or Azure app proxy.

0

Hi

I was talking about this with a colleague yesterday and we've managed to get it working (thanks Paul).

The SSO over Azure will work fine using either the msappproxy.net or a custom domain, provided that the "Translate Urls in headers" app proxy option (under the Application proxy / Advanced settings) is unchecked. image.png

Having looked at the info for this option, (it's a little wooly IMHO) when it's enabled it will try to translate the AAP URL into the internal URL once the authentication is completed, hence the issue I was seeing. I still don't understand why the tests were working from the "Test this application" option of the SSO config, but that's an issue for another day.

0

Chappers77 - are you using Passthrough or Entra ID for Pre-Auth?

I'm trying to get this to work so we can access it externally from a specific public location without setting up a VPN there and I have to use Entra ID for PreAuthentication for that to work. I just get to a white page. I am hosting the root folder too for Adaxes. 2016 app proxy server. I thought maybe you might have some insight since you got it working.

0

Hi Mark

I'm using Entra for the pre-auth

Matt

0

Thanks Matt! Anything special you had to do for this? Any insight you have would be great. It looks like it might be loading as the favicon is showing up but I can't get login page to show up. If I refresh the page, sometimes I get a Fatal Error that appears to be from Adaxes or I get a "Bad Gateway" message. The webpage works from the app proxy servers but the event log says "Connection to the backend server failed. Error: (0x80072efe)."

We are using SAML for the auth but we have it configured at the interface level because we have a use case that requires local AD login.

0

Does your Adaxes work over App Proxy without SSO enabled?

I'm not sure what you mean by having SSO configured at the interface level.

0

I followed this document to setup the interfaces (like Administrator, Self Service, etc) with SAML. https://www.adaxes.com/help/EnableSamlBasedSingleSignOn/

Yes, it will work without the Entra ID preauthentication set but i need it set to do conditional access policies.

Thanks for the help on this. I know its an extra thing.

Please log in or register to answer this question.

Related questions

0 votes
1 answer

Guys, I have implemeted SSO with Azure AD with my test instance. I am using 2019.2. Works fine - MFA triggers etc. But when I log out from Adaxes websites, it ... to attract some nasty looks from Infosec guys - specially when it is a user management tool.

asked Aug 3, 2020 by Brajesh (460 points)
0 votes
1 answer

Before authentication with azure our custom command like: $m365Credentials = $Context.GetOffice365Credential() Connect-MSGraph -Credential $m365Credentials Get-IntuneManagedDevice | Where-Object { ... credential how should i modify the script to make it work?

asked Jun 13, 2022 by Simone.Vailati (430 points)
0 votes
1 answer

Our Adaxes Microsoft 365 Tenant was created before we copmpleted the "app registration" in Azure. Which means that in the instructions for "Register Adaxes as an app in ... M365 tenant, would that affect any of our custom commands that we have created?

asked Feb 17, 2022 by Tfarmer (160 points)
0 votes
1 answer

Hi We have Adaxes available through Azure app proxy as we have external support for some of our companies and these people don't have VPN available to them. The ... change the Web Interface Address to the Azure link? Will this break anything? Thanks Matt

asked Jan 20, 2022 by chappers77 (2.0k points)
0 votes
0 answers

This issue affects only Adaxes versions that use the Exchange Online Management (EXO v3) PowerShell module: Adaxes 2023.2 - all versions Adaxes 2023 - starting from version 3.15. ... . For more details, see how to Register Adaxes as an app in Microsoft Azure.

asked Jun 23, 2023 by Adaxes (560 points)
3,589 questions
3,278 answers
8,303 comments
548,105 users