Azure AD generates wrong SAML metadata for multi-tenant app

1
votes

I have created a registration in Azure AD via the portal in the Enterprise applications blade.

I then switched to App registrations blade -> Authentication and set the app to multi-tenant.

Next I switched back to Enterprise blade -> Single sign-on and set up SAML configuration to point to our SAML2 SP (Shibboleth).

But when I attempt to sign on to our service with a user from a foreign tenant, I get an error saying to please add user as guest.

This is because the SingleSignOnService in the IdP metadata that Azure AD generates is wrong. It points at the tenant-specific endpoint (https://login.microsoftonline.com/{tenantId}/saml2) instead of /common.

How can I get AAD to generate correct metadata for a multi-tenant app? This Microsoft guide seems to suggest that it should be possible to create a multi-tenant SAML2 app: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing

1
azure-active-directorysaml-2.0
Try to specify the Sign on URL in Single Sign-On -> Basic SAML Configuration with https://login.microsoftonline.com/common/saml2. - Joy Wang-MSFT
That unfortunately did not have any effect on the generated SAML2 metadata. - Søren Boisen
Hello @SørenBoisen Just wanted to check if you have followed the 4 steps mentioned in docs.microsoft.com/en-us/azure/active-directory/develop/… to convert the app to multitenant. - Nishant

1 Answers

0
votes

Make sure you are using the tenant-independent endpoint. In this endpoint address, common appears instead of a tenant domain name or ID: https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-protocol-reference