Fix azure-saml flow

backend/src/ee/routes/v1/sso.ts

@@ -13,7 +13,10 @@ router.get(
     const options = {
         failureRedirect: "/",
         additionalParams: {
-          RelayState: req.query.callback_port ?? ""
+          RelayState: JSON.stringify({
+            spInitiated: true,
+            callbackPort: req.query.callback_port ?? ""
+          })
         },
     };
     passport.authenticate("saml", options)(req, res, next);

backend/src/utils/auth.ts

@@ -312,7 +312,9 @@ const initializePassport = async () => {
         }
         
         if (ssoConfig.authProvider.toString() === AuthMethod.AZURE_SAML.toString()) {
-          samlConfig.audience = `spn:${ssoConfig.issuer}`;
+          if (req.body.RelayState && JSON.parse(req.body.RelayState).spInitiated) {
+            samlConfig.audience = `spn:${ssoConfig.issuer}`;
+          }
         }
         
         req.ssoConfig = ssoConfig;
@@ -407,7 +409,7 @@ const initializePassport = async () => {
           authMethod: req.ssoConfig.authProvider,
           isUserCompleted,
           ...(req.body.RelayState ? {
-            callbackPort: req.body.RelayState as string
+            callbackPort: JSON.parse(req.body.RelayState).callbackPort as string
           } : {})
         },
         expiresIn: await getJwtProviderAuthLifetime(),

docs/documentation/platform/sso/azure.mdx

@@ -63,12 +63,17 @@ description: "Configure Azure SAML for Infisical SSO"
 
 7. Get IdP values:
 
-Back in the **Set up Single Sign-On with SAML** screen, copy the **Login URL**, **Azure AD Identifier** and **SAML Certificate** to use when finishing configuring Azure SAML in Infisical.
+In the **Set up Single Sign-On with SAML** screen, copy the **Login URL** and **SAML Certificate** to use when finishing configuring Azure SAML in Infisical.
 
-Back in Infisical, set **Login URL** and **Azure AD Identifier** from above. Once you've done that, press **Update** to complete the required configuration.
+![Azure SAML identity provider values 1](../../../images/sso/azure/idp-values.png)
 
-![Azure SAML identity provider values](../../../images/sso/azure/idp-values.png)
-![Azure SAML paste identity provider values](../../../images/sso/azure/idp-values-2.png)
+In the **Properties** screen, copy the **Application ID** to use when finishing configuring Azure SAML in Infisical.
+
+![Azure SAML identity provider values 2](../../../images/sso/azure/idp-values-2.png)
+
+Back in Infisical, set **Login URL**, **Azure Application ID**, and **SAML Certificate** from above. Once you've done that, press **Update** to complete the required configuration.
+
+![Azure SAML paste identity provider values](../../../images/sso/azure/idp-values-3.png)
 
 <Note>
 When pasting the certificate into Infisical, you'll want to retain `-----BEGIN

frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/SSOModal.tsx

@@ -143,8 +143,8 @@ export const SSOModal = ({
                     entityId: "Identifier (Entity ID)",
                     entryPoint: "Login URL",
                     entryPointPlaceholder: "https://login.microsoftonline.com/xxx/saml2",
-                    issuer: "Azure AD Identifier",
-                    issuerPlaceholder: "https://sts.windows.net/xxx/"
+                    issuer: "Azure Application ID",
+                    issuerPlaceholder: "abc-def-ghi-jkl-mno"
                 });
             case AuthProvider.JUMPCLOUD_SAML:
                 return ({