Internal SAML 2.0 app federated to on-prem ADFS will not work with Azure Application Proxy

We have an internal SAML 2.0 application federated to an on-prem ADFS - this is an existing trust which works inside our network. The access URL is not available externally.
We have an Azure tenant also federated to that on-prem ADFS.
When I add an application to the Azure App Proxy I enter the Internal URL and I am presented with the External URL.
When users navigate to the External URL they are sent through the Application Proxy Connector inside our network and then onto the application. This all works fine unless the app is federated to our on-prem ADFS.
The application then forwards onto the on-prem ADFS for authentication.
After successful authentication the browser is redirected back to the application.......on the internal URL.....which is obviously not resolvable from the user outside who came through the external URL/App Proxy.
There are options to translate URLs but this seems to lose the expected state information.
This is where I am stuck.
Blake PAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle SantosQuality AssuranceCommented:

I am here to help you with your open question.  Do you still need help?  I have the ability to alert more experts if you still need help.

If you solved the problem on your own, would you please post the solution here in case others have the same problem?

If you need me to delete this question just say "Delete."

Thank you for using Experts Exchange.


Kyle Santos
Customer Relations
Blake PAuthor Commented:
Well after much trial and error I have found the solution. It is actually quite simple once you know the required configuration.

Step 1: Add your application in the Enterprise Applications and configure Application Proxy as normal (internal URL, specify connector, Preauthentication = Azure Active Directory, everything else default, Azure Single sign-on disabled in SSO section). Take note of the external URL.
Step 2: Add ANOTHER application and set the single sign-on to SAML (i.e. no app proxy). Specify the REPLY URL to be the external URL provided in Step 1.
Step 3: Federate your internal SAML application to the cloud IdP (Azure AD) with the XML metadata and cert provided in Step 2.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kyle SantosQuality AssuranceCommented:
Thank you for letting us know!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory Federation Services (ADFS)

From novice to tech pro — start learning today.