Hi,

I'd appreciate if anyone could point me in the right direction regarding SAML authentication with directory server - I am testing web access (and forms) authentication against Azure AD.  I have followed the white paper on configuring DS 10.3 for SAML.

I have set up a SAML IdP in LFDS 10.3 and populated the Issuer, endpoint and certificate with the SAML Entity ID, SAML Single Sign-On Service URL and SAML signing certificate from the Azure AD application registration page - see LFDS_IdP.png

I've set up an STS site with the suggested endpoint displayed in the LFDS configuration - see  LDFS_STS.png

I am happy that LFDS is set up OK as I can authenticate fine if i use an LFDS account and authenticate via the directory server page - see LFDS_login_page.png; LFDSTest_loggedin.png

However, if i use the SAML button on the directory server page i get prompted for windows credentials and am unable to get any further - see windows_auth_prompt.png

Using fiddler I can see that the windows authentication happens against https://TESTVM1/LDFSSTS/specificapi/login/login  (the same url the LFDS account auth uses and gets no authentication challenge)

I've tried numerous different configurations in IIS regarding service account authentications but i don't think the issue lies there as the LFDS account authentication works OK so i'm assuming that the local STS set up is OK.

All I am looking for initially is seeing the hand-off to the MS Azure login page from directory server but it is not redirecting.  I assume something is fundamentally wrong with my DS SAML setup but i can't see what.

I know that the Azure SSO sign in page is valid as I can browse to it manually.

Has anyone successfully tested against Azure AD or can anyone suggest what might be the issue?

many thanks,

Ian