After blogging on publishing a SAML application through the Azure AD Application Proxy, I had some requests to explain how an application using forms-based authentication can be published through the proxy with SSO. I have to confess that I started this blog nearly 2 months ago and had been trying to find the time to finish it. At the moment I’m stuck in an airport lounge for 3 hours so here goes…
I believe in incremental testing, going one step at a time. Below are my 5 steps to success.
Step1: Get the forms app working within the corporate network, this is shown in Figure 1, you will see that the internal URL for the demo application is https://formsauth.example.com:
Step 2: Go to the Azure portal and sign-in for your tenant. Open the Azure Active Directory blade and then Enterprise applications, select New application and the On-premises application tile. Configure the proxy to publish the forms app, for the simplest configuration you only need to enter a Name and Internal URL. Figure 2.
Let Azure AD cook for a few minutes, if you try and access the external URL too quickly, you will get a 404 error Figure 3.
Step 3: To simplify testing, create a shortcut to https://formsauth-xtsmsc4a.msappproxy.net/
Double-click the shortcut, and you will be redirected to the Azure AD sign-in page for your organization. You are required to sign-in because the default pre-authentication method is Azure Active Directory, see Figure 2.
Tip: If prompted to “Stay signed in” select No. When troubleshooting it is very useful to see the sign-in web form, it helps you to know where you are in the authentication flow.
You will see that you are denied access to the application, Figure 4. Users must be assigned to the Enterprise App Proxy application to access the internal application.
Step 4: Assign a user to the application proxy app. You can use the Quick start, “Assign a user for testing option” (Figure 5) or click on the Users and groups menu item.
Make sure you also assign the administrator who is configuring the App Proxy, this will be required when setting up password-based sign-on. In addition to being assigned to the proxy application, the users will also need the appropriate licenses to use the proxy.
Open the app via the shortcut, after authenticating with Azure AD (pre authenticating through the App Proxy) you will be able to access the forms app through the external URL. However, you will need to independently authenticate to the forms application (no SSO) Figure 6.
Through the access panel you can access the forms application via the external URL (Figure 7), but you will still need to independently authenticate to the forms application.
Now it’s time to get SSO working.
Step 5: Back in the portal, from the Quick start options, select Configure single sign-on and set the sign-on mode to password-based Sign-on, Figure 8.
Set the Sign-On URL to the external proxy URL for the forms sign-in. Click Save.
After a short while, the configuration completes and the Wizard reports that the a sign-in form was successfully detected at the provided URL, Figure 9 arrow A.
Despite the configuration reporting success, I have found that the fields can be incorrectly detected, and manual intervention is necessary. Select the option to re-detect the sign-in fields, Figure 9 arrow B. Choose Manually detect sign-in fields and click Capture sign-in fields. A browser tab is opened and the forms sign-in page is accessed, through the App Proxy, using the identity of the currently signed-in portal administrator. The My Apps Secure Sign-in Extension must be installed in the browser to capture the sign-in fields. As you enter a username and passwords, the fields become highlighted, and after clicking logon, you will be prompted to save the captured login details Figure 10.
After selecting the checkbox confirming that you can successfully sign-in to the app and saving the changes you can see that the sign-in field labels have been updated to the correct values for the application.
The final test
When the user now accesses the application via My Apps for the first time, they will be asked to store credentials for the application, Figure 11.
Subsequently, once logged into My Apps, clicking the FormsAuth icon will access the app without any further prompt for credentials.
SSO all done! That’s it for now – Please tweet me if you found the blog helpful @john_craddock and don’t forget to book a place on my Identity Masterclass 😊