Enable SAML tokens to flow through Azure Application Proxy to the internal site
Using SAML for SSO between AzureAD and various web-apps works like a charm. However, this requires the web-app to have a public facing URL.
At the same time, Application Proxy works great for securing internally-hosted web-apps in that is actually enforces that a user must be logged into AzureAD before being allowed to access the app's external URL. This greatly reduces the possible threat vectors that can be empoyed to attack the site.
What would be excellent is if the two could be combined: Making an internal web-app available in such a way that the user would need to sign into AzureAD before being able to access the URL - and then, in turn, using the already provided user information to send a SAML token to the internal web-app for single sign on.
Increased security AND convenience.
We tried building this together with MS support in a roundabout fashion for a while now - but atm it's not possible. I heard that something involving a partnership with PingIdentity might be in the works - but it would be so much better if this were to work with AzureAD!
Srinivas Rautwar commented