• Dean Bostedor
  • 0 Points
  • Member since 2017

  • Chatter
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 1
  • 0

Error when authenticating to community site using SAML/Azure AD:  The reply address 'https://company2.force.com/login?so=00D41000001i0oF' does not match the reply addresses configured for the application: 'https://company1.my.salesforce.com'.

We have recently implemented Azure AD single sign on for Salesforce in both our production and test environments.  This seems to work great.  However, there does not seem to be a way to add additional reply URL's so that we can authenticate to our "Salesforce Communities".  Our Salesforce URL for our main site is "https://companyname.my.salesforce.com/".  Our "Community" domain sign in URL is "https://companyname2.force.com/login".  

In the Azure, we've added the salesforce "application from the gallery".  When we go to configure the application, we see a section for adding a reply URL but are forced to use a convention that meets the "https://example.my.salesforce.com" standard.  
Has anyone else implemented salesforce SSO with more than one domain?  How do you add additional URLs?
We've looked at the following guides but some seem to be outdated or don't include instructions to add additional reply URLs for SAML to include additional URLs for Salesforce Community domains.
Guide from Microsoft Documentation for SAML, Azure AD, and Salesforce (note: no information about adding additional "Reply URLs for "Communities"):
Guide on Salesforce developer site using Open ID Connect and Azure AD (note: this includes information about implementing communities but hasn't been updated since Oct 2015 and seems to be missing steps or has out of date information.  Also, no user provisioning steps):
TechNet article for integrating SAML/Azure AD with Salesforce Sandbox (note: nothing about adding additonal reply URLs for communities.):

Also, we've tried to use OAuth and OpenID Connect with Azure using this guide:


The OAuth and OpenID connect does not work following those instructions and I believe it has something to do with the Reg handler or possibly Azure AD endpoints changing.  Specifically, the Authorize, Token, and Profile Endpoint URLs don't seem to be the same anymore as seen when you click the "endpoints" in Azure AD for the application.  There isn't even a "profile endpoint" available but instead a "graph API endpoint".. So, instead of using https://login.windows.net/common/openid/userinfo, I'm guessing more code has to be written on Salesforce's end to work with https://graph.windows.net.


Any insight into these things would be greatly appreciated.