Set up SAML with Azure AD as enterprise application

Avatar
  • updated
  • Under Review

As of October 15 this year, Azure AD no longer accepts domains that the tenant doesn't manage themselves in their App ID URI field when setting up a custom SAML app, domains like screenconnect.com


This makes sense, I suppose, because custom SAML apps are for those trying to integrate apps that they built themselves or at least manage the DNS records for.


Anyway, this new development means that ConnectWise in fact no longer supports SAML integration with Azure AD / Microsoft 365.

The issue has been registered as #SCP-37400 on ConnectWise Home, but I think the way forward is clear — ConnectWise should register Control as an enterprise app on Azure AD, like Splashtop and Teamviewer have done. That's why those solutions haven't been affected by this new policy by Azure AD.

Registering as an enterprise app would be ideal, as this would make the set up process for SAML integration much easier as well.

Avatar
0
Simon

This is what's posted on ConnectWise Home.

The Microsoft docs link is to this page.

No solution is offered, but as I wrote above, registering as an enterprise app seems to be the best (only?) way.

Avatar
0
Caitlin M Barnes Team Member

Hi Simon, 

We're still investigating how best to handle this situation, but thanks for your suggestion! 

Avatar
0
kcampbell

I am having the exact same issue. I am needing help fixing this. Is there any update on this case yet?

Avatar
0
Rishikesh Gajul
  • Under Review
Quote from kcampbell

I am having the exact same issue. I am needing help fixing this. Is there any update on this case yet?

Hi,

We're still investigating this issue and may take some more time to find the right solution. In the mean time, you can refer this link for a workaround.

Avatar
0
kcampbell

Can you tell me, is the Client secret the Client secret value or the Secret ID?

Avatar
0
Rishikesh Gajul
Quote from kcampbell

Can you tell me, is the Client secret the Client secret value or the Secret ID?

It's a value.

Avatar
0
rswitzer

Any update on a better solution to use Azure AD for SSO Auth without having to modify a user's department details?

Avatar
0
Mike Bannerman Team Member

Currently working on this issue.  Early ETA would be April barring a delay, but I'll try to update again in a week.  

Avatar
0
Virtual_Greg

Any update on this? We can't use the work around because we use the department field for something else.

Avatar
0
mvitale
Quote from Virtual_Greg

Any update on this? We can't use the work around because we use the department field for something else.

I have no update for you, but I am using the work around, and in the config, there is a "UserInfoRoleNamePath" field that is configured by default to use AD attribute 'department' but it looks like you could change that to use any AD attribute.

Enabling this method is also an addition, so your users will still be able to log in with existing local accounts.  It adds a new login button that you also name.

Changing that department config may work for you, but I have not tested this.



Top contributors

Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar