Read SAML response received from azure active directory using java

Looks like it may not be something wrong with your setup, but currently a limitation for Azure AD Application Proxy, that it isn't able to pass the SAML token to internal web app for SSO.

Please take a look at the links below, looks like it's a planned item for the Azure AD team and you could try to confirm this with Microsoft Support and get details from them on a possible workaround.

I hope this helps!

1. App Proxy - SAML as SSO Option https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33318022-app-proxy-saml-as-sso-option

   Here they mention that work is starting on the item and even suggest a work around and share contact information to ask for more details.

   

2. Enable SAML tokens to flow through Azure Application Proxy to the internal site https://feedback.azure.com/forums/374982-azure-active-directory-application-requests/suggestions/19204666-enable-saml-tokens-to-flow-through-azure-applicati

   This one explains the problem itself in a lot more detail

   

Update: Here is a write-up from the response I got from Azure AD Feedback team

Part 1: Configuring the Application in Application Proxy

Step 1: Add a new Enterprise Application, and chose the “on-premises application” option. Fill out the application information with the internal URL that is the identifier for the application, and the external URL that you want your users to use when external. Make sure you select the connector group that contains the connectors with access to the application – if you only followed the steps in part 0 and haven’t created new connector groups, the correct group is “Default”.

Step 2: Assign Users to the Application through the “Users and Groups” menu

Part 2: Configure the SAML App

Step 1: Add another application, but this time choose Non-gallery application

Step 2: Since users are assigned through the Application Proxy application, they don’t need to be assigned here. In the properties menu, turn off the User Assignment Required field.

Step 3: Configure the Single-Sign On settings in the corresponding menu. Chose “SAML-based Sign-on”. Provide the application identifier of your application. Put the Reply URL as the Application Proxy external URL (configured in Part 1, Step 1). Chose the type of user identifier and add the signing certificate for the tokens. Your application is now ready to use. It can be accessed by the Application Proxy external URL, or by going through the Access Panel.