Bypassing Microsoft Entra ID (Azure) login page
Symptom
- We'd like to add query string whr=<MyDomain.edu> to our EZproxy SAML settings so it auto-accelerates to our SSO and bypasses the Microsoft intermediary step of inputting your email address to get there
- This pertains to SAML and Microsoft Entra ID (Azure) only.
Applies to
- Hosted EZproxy
Resolution
The sts.windows.net domain may be bypassed by providing OCLC Support an updated valid metadata xml file with the whr=<MyDomain.edu> parameter embedded in the “SingleLogoutService Binding=”, and “SingleSignOnService Binding=” tags.
Examples:
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=https://login.microsoftonline.com/111111111-495f-2222-9911-ffffffffffff/saml2?whr=MyDomain.edu/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=https://login.microsoftonline.com/111111111-495f-2222-9911-ffffffffffff/saml2?whr=MyDomain.edu/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=https://login.microsoftonline.com/111111111-495f-2222-9911-ffffffffffff/saml2?whr=MyDomain.edu/>
Be sure to update the metadata file on your side after OCLC puts your new file in place. If you do not, the next time EZproxy restarts, the changes will revert to your old settings.
Additional information
To add the QUERY STRING to YOUR metadata.xml file IN Azure:
- Go to your Azure console.
- Go to the EZproxy service you set up.
- Change Entity ID to add the whr=<MyDomain.edu> parameter.
- Save your settings. This will re-generate a new xml file and put it in the correct place.
The Azure console may or may not have a query string box that you fill in with your domain <MyDomain.edu> for it to generate the whr=<MyDomain.edu> parameter.
After you save your settings, check the new file, and verify you see the changes.
When this is complete, send a reply from your OCLC Zendesk ticket so we can re-enable the URL line and test it live with you.
Page ID
49811