You are viewing limited content. For full access, please sign in.

Discussion

Discussion

SAML with SCIM and Entra Application Proxy – RelayState Challenge

Web Client Forms Directory Server Self-Hosted
Updated one day ago
posted one day ago

We're working with a client who is setting up SAML with SCIM using Microsoft Entra as the identity provider. They also want to use the Microsoft Entra Application Proxy to securely publish Laserfiche applications (Web Client and Forms) for remote access.

The challenge we're facing is around the RelayState configuration in the Entra Enterprise Application. As you know, RelayState must point to a single URL—either Web Client or Forms—but not both.

We attempted to use a custom landing page that provides links to both Web Client and Forms. However, this approach isn’t viable—after SAML authentication, users are redirected to the landing page, but clicking on either link causes an authentication loop.

We also considered creating two separate SAML applications, one for Forms and one for Web Client. The problem here is that this would result in two distinct user identities in Laserfiche, requiring a separate set of licenses and permission management.

Has anyone successfully implemented a similar setup using Microsoft Entra with SAML, SCIM, and Application Proxy? We're looking for any recommended approaches or workarounds to support both Forms and Web Client access via SSO while maintaining a unified user identity and permissions structure.

Appreciate any insights or suggestions!

0 0
replied one day ago Show version history

Hi Karim,

Re:

We attempted to use a custom landing page that provides links to both Web Client and Forms. However, this approach isn’t viable—after SAML authentication, users are redirected to the landing page, but clicking on either link causes an authentication loop.

If you were already considering a custom landing page with links to both, I'd recommend setting up and using the new App Picker functionality in Laserfiche Forms and Repository Web Client 12:

Then pick the Repo Web Client or Forms as the initial destination and communicate how to use the app picker to users. App pickers like this are common in software we all use today. As long as users are aware of where the new option is, they should generally find it intuitive.

If you still want to use a "custom landing page", you should make the landing page in Forms. Create a new Forms process called "Landing Page" or similar, then edit the starting form, style it with custom HTML blocks as desired and hide/remove the submit button. Customize the process starting URL to have a name like "https://formsBaseURLPath/Landing" and use that for the IDP-initiated SSO RelayState parameter. For auth flow purposes, you're always sending the user to Forms, which is a valid destination. 

1 0
replied one day ago

Love the idea of using Forms as a landing page for SAML.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...