Application sign-in failures when you change the reply URL in Azure AD

Symptoms

Assume that you build a multi-tenant web application that uses Azure AD for authenticating users. If you change the application’s reply URL, this may trigger sign-in failures for users who have already consented to the application. Users who consent after this URL change are not affected.

Cause

When the app developer changes the reply URL through the Azure Management Portal, the web application is deployed with a new endpoint to match the new reply URL. The web application no longer services any requests that come to the old reply URL endpoint.  

This issue occurs in the following scenario:
  • The web application uses any of the Azure AD–supported authentication protocols (OpenID Connect, WS-Federation or SAML 2.0).  
  • The associated application object is configured in Azure AD with a single reply URL.
  • When the service provider (web application)–initiated authentication request for sign-in is made, the web application does not specify the optional “reply URL” query string parameter in the request.  
Note This query string parameter differs for each supported protocol, as follows:

ProtocolOptional parameter
OpenID Connectredirect_uri
WS-Federationwreply
SAML 2.0AssertionConsumerServiceURL
Instead, the application relies on Azure AD by using the configured reply URL from the application object (as in the second item in the preceding bulleted list) when the authentication request does not specify a reply URL.  

Then, the app developer makes a change to the web application configuration (through the Azure Management Portal) by changing the reply URL. The app developer also deploys the web application at a new endpoint (to match the new reply URL) and no longer services any requests that come to the old reply URL endpoint. In this situation, all existing customers who have already consented to the web application may now be unable to sign in to the web application.

Resolution

To fix this issue, use one of the following methods:

  • Explicitly specify the reply URL in the application code. This is the recommended solution. The app developer should update the code for the authentication request to explicitly specify the reply URL (depending on the protocol used, as described in the "Cause" section).
  • Use PowerShell to overwrite the reply address. The company administrator should run the following Azure AD PowerShell cmdlets to overwrite the old reply address with the new reply address:
    1. Connect-MsolService
    2. $r = New-MsolServicePrincipalAddresses -Address <app’s_new_reply_address> –AddressType “reply”
    3. Set-MsolServicePrincipal –AppPrincipalId <app’s_clientId> -Addresses $r
Властивості

Ідентифікатор статті: 3089309 – останній перегляд: 27 серп. 2015 р. – виправлення: 1

Зворотний зв’язок