0

I have an application which we have recently implemented the use of SAML for authentication. For most of our customers, all their users access the application from the same country. This is simple as there is one URL.

However, some of our customers who are global use different URLs, based on their location, to access the same application. e.g.

UK users use customer1.ourcompany.co.uk
US users use customer1.ourcompany.com

These URLs both go to the same instance of the application on the same IIS server.

These uses may all authenticate using the same ADFS server, but need to be redirected back to .co.uk or .com, depending on which original URL the user came from.

Is this possible? If so, what would be be the best method to implement this?

Other info: Windows based environment. Always SP initiated

Manager was also thinking about using another gTLD (i.e. outcompany.app) for some customers. This would be another URL that needs to be redirected, as above.

Colin
  • 11
  • 2

1 Answers1

0

While I haven't test this, I think you can try as followings:

  1. Differ the UK users and the US users, you can use different UPN suffix,Email Address suffix or any other ones.

  2. Create two Relying Party Trusts, configure UK URL in the first one and the US URL in the second one (or any other order you preferred).

  3. Edit the default Authorization Claim rules on each Relying Party Trust. Only allow the incoming claims which have the correct value, such as the UPN suffix matching with the corresponding location. The un-matching claims will be denied by this rule, only the matching values will be allowed and security token will be issued to the Relying Party.

Jimmy Sun
  • 319
  • 1
  • 4