SSO via azure app proxy

Question

Hi

I'm trying to configure Azure SSO to work through an app proxy. The settings seem to be correct and the SSO is working properly when a user in on premise, but when off site, the login seems to be redirected to an internal server which obviously causes an issue.

e.g. our internal URL is https://adaxes-server/adaxes The Azure app proxy URL is https://adaxes-domain.msappproxy.net/adaxes

When connecting to the azure URL from outside of our network, the login seems to go fine, but then I get an error that the URL https://adaxes-server/adaxes/saml2 cannot be found.

I have tried with the App proxy configured to translate and not translate the URLs in the application body, but this makes no difference.

Is this something which can be resolved, or would it be something for a future release?

Many thanks

Matt

Comments

Hello Matt,

Sorry for the confusion, but we are not sure what exactly the issue is. Please, describe the steps you take to reproduce the issue in all the possible details with lice examples and screenshots. If there is something you cannot post here, please, send the details to support@adaxes.com.

---

Hi guys

Thanks guys for the email support, I thought I would update this having found a solution.

It seems that the SSO via app proxy doesn't work if you configure your External URL to use a custom domain. I guess this must be something to do with the DNS translation when going from the custom domain to the msappproxy.net URL's. But, if you leave the domain as the default msappproxy.net, SSO should work fine.

---

Actually, maybe I spoke too soon! The SSO works when testing via the app proxy SSO configuration, but when trying to load the site in another browser or having signed out, I am back to getting an error.

The first URL is my internal domain and isn't configured anywhere in the Adaxes sign in settings or Azure app proxy.

---

Hi

I was talking about this with a colleague yesterday and we've managed to get it working (thanks Paul).

The SSO over Azure will work fine using either the msappproxy.net or a custom domain, provided that the "Translate Urls in headers" app proxy option (under the Application proxy / Advanced settings) is unchecked.

Having looked at the info for this option, (it's a little wooly IMHO) when it's enabled it will try to translate the AAP URL into the internal URL once the authentication is completed, hence the issue I was seeing. I still don't understand why the tests were working from the "Test this application" option of the SSO config, but that's an issue for another day.

---

Chappers77 - are you using Passthrough or Entra ID for Pre-Auth?

I'm trying to get this to work so we can access it externally from a specific public location without setting up a VPN there and I have to use Entra ID for PreAuthentication for that to work. I just get to a white page. I am hosting the root folder too for Adaxes. 2016 app proxy server. I thought maybe you might have some insight since you got it working.

---

Hi Mark

I'm using Entra for the pre-auth

Matt

---

Thanks Matt! Anything special you had to do for this? Any insight you have would be great. It looks like it might be loading as the favicon is showing up but I can't get login page to show up. If I refresh the page, sometimes I get a Fatal Error that appears to be from Adaxes or I get a "Bad Gateway" message. The webpage works from the app proxy servers but the event log says "Connection to the backend server failed. Error: (0x80072efe)."

We are using SAML for the auth but we have it configured at the interface level because we have a use case that requires local AD login.

---

Does your Adaxes work over App Proxy without SSO enabled?

I'm not sure what you mean by having SSO configured at the interface level.

---

I followed this document to setup the interfaces (like Administrator, Self Service, etc) with SAML. https://www.adaxes.com/help/EnableSamlBasedSingleSignOn/

Yes, it will work without the Entra ID preauthentication set but i need it set to do conditional access policies.

Thanks for the help on this. I know its an extra thing.