Multi tenant SAML SSO app installed with OAuth flow?

Question

I have a multi tenant enterprise app. It authorises a few graph API permissions when installed and has SAML SSO configured. The whole idea is that my customers can install this and in one process grant my application access to their tenant, and setup SSO for that customers users.

The graph API permissions work totally as expected, I get the needed access to the tenants who installed the app.

Then there is the SAML SSO part. That's just totally not working. In my test tenant where I installed my app, it says that the app has SAML SSO and that it is only application owner who can configure - all fine. I then try to log in (to the web app using this SSO configuration) with a user from my test tenant - no luck! First I thought that it had to do with the user not being assigned the app, but it complains the the application in tenant A is not available for user in my test tenant and the user should be added to tenant A. That of course is not a solution since I want to use this for customers.

So right now I am stuck with 2 app's. One gallery app for SAML SSO and my app granting API permissions. It works, but it just seems SO stupid. Isn't there a better way?

Answer 1

Azure AD SAML applications are not intended to be multi-tenant, this is why you need to invite external users as guests.

It's worth to mention it's possible for an Azure AD app to support both OIDC/OAuth2 and SAML and thus rely on the same session cookie to obtain an access token for MS Graph.

If you need multi-tenancy, you should use modern protocols such as OpenID Connect for authentication and OAuth2 for authorization. MS Graph relies on JWT access token anyways.