What is the use of Sign on URL when setting up SAML on Microsoft Entra?
I am not sure what is the use for the Sign on URL as seen here:
(Source: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso)
Edit: In the picture above, Sign on URL is marked as required, but in my case it says optional.
From what I understand, if I set this URL up, it will redirect the SAML response back to this URL instead of the ACS for further login on the SP side.
So if for example my app needs a login page after being authenticated by the IDP, it will redirect to a login page.
But why can't I just use the ACS to redirect to a login page?
The Sign-on URL in Microsoft Entra SAML SSO configuration is the entry point to your application for initiating the SAML login flow. It’s used when a user selects your app from the My Apps portal or any user-initiated flow from Microsoft Entra ID.
- The ACS URL is where Azure sends the SAML response after authentication. You can’t redirect to the ACS directly because it's only meant to receive assertions, not initiate logins. The Sign-on URL is optional if you're only using IdP-initiated SSO.
For sample, This URL does not point directly to the IdP login page (e.g., https://login.microsoftonline.com/...). Instead, it points to your app — for example, https://myapp.com/login.
- When Microsoft Entra ID redirects the user to this URL, your app is responsible for initiating the SAML authentication request by redirecting the user to the IdP (Azure AD), which handles the login.
I created a Microsoft Entra SAML Toolkit and configured SAML SSO like below:
- Reply URL (Assertion Consumer Service URL),:
https://samltoolkit.azurewebsites.net/SAML/Consume. - Sign on URL:
https://samltoolkit.azurewebsites.net/
I tested the SSO app and logged in like below:
Logged in successfully which redirected me to Sign on URL which is https://samltoolkit.azurewebsites.net
When a user clicks your app in the My Apps portal, Microsoft Entra ID sends them to your app’s Sign-on URL, which initiates a SAML request and redirects them to Microsoft Entra ID for login. After authentication, Microsoft Entra ID sends the SAML response to your app’s ACS URL, where the assertion is processed and the user is signed in.
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions