As more organisations are integrating their SAML applications to AAD instead of ADFS to take advantage of the Azure AD Conditional Access Policy. One user experience issue of the change is that federated users (e.g. using ADFS for single-sign on) are first redirected to default MS AAD Login page. Only when they have entered their UPN, they are redirected to the ADFS page to sign in.

Many customers and end-users have asked if they can be redirected straight to the ADFS page, bypassing the MS login page, especially when migrating an existing ADFS federated application to AAD.

Why doesn’t AAD redirect the user to ADFS automatically?

AAD is a cloud service, until you enter the UPN or email address, it doesn’t know where a user’s home realm is, whether they are from abc.com or xyz.com, only when the UPN is entered, then AAD can determine the user’s tenant. Upon reading the UPN, if the user is a federated user, it will redirect the user to the organisation’s ADFS login page. This process is known as Home Realm Discovery.

The second possibility is a user could be a cloud (managed) user. The AAD login screen allows the cloud user to login via AAD while redirecting federated users to ADFS.

 

What are the options if all my users are federated and I want to redirect everyone to the ADFS page?

Option 1 – Domain Hints

If the application supports domain hints, you can append the federated domain name to the application URL, domain hints can be added to the query string of the URL.

e.g. https://myapps.microsoft.com/?whr=xyz.com

Jack Stromberg has a smart link generator that generates the common links for Office 365 applications. https://jackstromberg.com/o365-smart-linksso-link-generator/

 

Option 2 – MyApps User Access URL + Domain Hints

Not all SAML applications will have native support for domain hints, if this is the case, you can use MyApps’s direct URL link and append the query string &whr=xyz.com at the end. The MyApps link can be found in the Azure Portal > Azure Active Directory > Enterprise Applications, click on your application, and go to its properties.

The MyApps URL appear in this format:  https://myapps.microsoft.com/signin/AppName/AppId-xxxx-xxx-xxx?tenantId=xxxx-xxx-xxxx-xxxxxxx&whr=xyz.com

A disadvantage with this URL is that it is rather long and hard to remember, you would most likely need to create a new bookmark for your end-users.

Here comes to our third option.

 

Option 3 – Auto-acceleration using Home Realm Discovery (HRD) policy

This option involves creating a HRD policy on the AAD, and then attach the HRD policy to the service principle of the application. The details can be found in this article https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal#set-hrd-policy

As of October 2019, this option requires the Azure AD Preview PowerShell,

If you have not installed the AAD Preview PowerShell previously, launch the PowerShell as an administrative user, and install the PS module first.

Install-Module -Name AzureADPreview

Cd "C:\Program Files\WindowsPowerShell\Modules\AzureADPreview\2.0.2.53"  (note your PowerShell version may be different)

Import-Module .\AzureADPreview.psd1

Connect-AzureAD (login with your admin credential)

Step 1: Create a new HRD policy

New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`":true, `"PreferredDomain`":`"yourSSOdomain.com`"}}") -DisplayName MultiDomainAutoAccelerationPolicy -Type HomeRealmDiscoveryPolicy

Step 2: Find the service principle for you SAML application

Get-AzureADServicePrincipal -SearchString "application name"

Step 3: Attach the HRD policy to your Service Principal

Add-AzureADServicePrincipalPolicy -Id "service-principal-id-xxxxx-xxx-xxx" -RefObjectId "HRD-policy-id-xxxx-xxxx"

 

Now test the application, instead of redirecting unauthenticated users to the AAD login page, it will redirect the user to ADFS. This option also works for Azure AD App Proxy with the pre-authentication option.

If you have the reverse situation after you setup Auto-Acceleration, that is if you have a cloud user needing access to the application, you can give them the MyApps URL in Option 2 without the domain hints.

 

Category:
ADFS, Azure Infrastructure, Identity and Access Management, Uncategorized
Tags:
, ,

Join the conversation! 1 Comment

  1. Great article John, i may be using some of this very soon.

    Reply

Leave a Reply