Tyk GW + TIB + Azure AD as an identity provider


I’m trying to configure TIB for connecting to Microsoft Azure AD via OpenID-connect SocialProvider.
But I cannot pass ‘prompt=select_account’ attribute to Microsoft login dialog.
Is there a way to do that?


Hi @pavelbakh, welcome to the community.

We would need more information. Such as:

  • What are you trying to achieve?
  • How did you configured your profile?
  • How did you configured Azure AD?
  • Are you using external or internal TIB?
  • How do you start the flow?

Hi @Olu,
thank you for the response.
I’m using external TIB with following profile:

  "ActionType": "GenerateOAuthTokenForClient",
  "ID": "1",
  "IdentityHandlerConfig": {
    "DashboardCredential": "",
    "DisableOneTokenPerAPI": false,
    "OAuth": {
      "APIListenPath": "httpbin",
      "BaseAPIID": "{{api_id}}",
      "ClientId": "{{oauth_client_id}}",
      "RedirectURI": "http://localhost:4200/token",
      "ResponseType": "code",
      "Secret": "{{oauth_client_secret}}",
      "NoRedirect": false
  "MatchedPolicyID": "{{policy_id}}",
  "OrgID": "{{org_id}}",
  "ProviderConfig": {
    "CallbackBaseURL": "{{TIB_URL}}",
    "FailureRedirect": "http://localhost:4200/?fail=true",
    "UseProviders": [{
      "Name": "openid-connect",
      "Key": "{{azure_ad_client_id}}",
      "Secret": "{{azure_ad_client_secret}}",
      "Scopes": ["openid", "email"],
      "DiscoverURL": "https://login.microsoftonline.com/{{azure_tenant_id}}/v2.0/.well-known/openid-configuration",
      "SkipUserInfoRequest": false
  "ProviderName": "SocialProvider",
  "ReturnURL": "",
  "Type": "redirect"

The Azure AD configuration as follows:

	"id": "031aaacf-d864-4851-8434-XXXXXXXXXXXX",
	"acceptMappedClaims": null,
	"accessTokenAcceptedVersion": null,
	"addIns": [],
	"allowPublicClient": true,
	"appId": "265f67cc-0ca4-4121-9c83-XXXXXXXXXXXX",
	"appRoles": [],
	"oauth2AllowUrlPathMatching": false,
	"createdDateTime": "2021-08-19T12:22:34Z",
	"certification": null,
	"disabledByMicrosoftStatus": null,
	"groupMembershipClaims": null,
	"identifierUris": [],
	"informationalUrls": {
		"termsOfService": null,
		"support": null,
		"privacy": null,
		"marketing": null
	"keyCredentials": [],
	"knownClientApplications": [],
	"logoUrl": "https://secure.aadcdn.microsoftonline-p.com/c1c6b6c8-2pwvh0pntd8hbpgbg3vo-xlu-xtko616igpvauksprc/appbranding/kepwpek1j3bh9w2cniftg-mrftpyij-hewvudn9-eje/1033/bannerlogo?ts=637728503871177307",
	"logoutUrl": null,
	"name": "authpoc-tyk-gw",
	"oauth2AllowIdTokenImplicitFlow": true,
	"oauth2AllowImplicitFlow": false,
	"oauth2Permissions": [],
	"oauth2RequirePostResponse": false,
	"optionalClaims": null,
	"orgRestrictions": [],
	"parentalControlSettings": {
		"countriesBlockedForMinors": [],
		"legalAgeGroupRule": "Allow"
	"passwordCredentials": [
			"customKeyIdentifier": null,
			"endDate": "2023-10-29T08:51:09.663Z",
			"keyId": "02a4cd23-9614-456e-bd3c-XXXXXXXXXXXX",
			"startDate": "2021-10-29T07:51:09.663Z",
			"value": null,
			"createdOn": "2021-10-29T07:51:30.33644Z",
			"hint": "XXXXXXXXXXXX",
			"displayName": "Password uploaded on Fri Oct 29 2021"
	"preAuthorizedApplications": [],
	"publisherDomain": "ebolttoutlook.onmicrosoft.com",
	"replyUrlsWithType": [
			"url": "https://TIB_ADDRESS/login/auth/1/openid-connect/callback",
			"type": "Web"
			"url": "http://localhost:4200",
			"type": "Web"
	"requiredResourceAccess": [
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
					"id": "e1fe6dd8-ba31-4d61-89e7-XXXXXXXXXXXX",
					"type": "Scope"
	"samlMetadataUrl": null,
	"signInUrl": null,
	"signInAudience": "AzureADMyOrg",
	"tags": [
	"tokenEncryptionKeyId": null

The workflow as follows:
WebGUI login button → get request to https://TIB_ADDRESS/login/auth/1/openid-connect → redirect to Azure Login Dialog

I’m trying to get login dialog like:

So it should be always “Pick an account” form which require attribute ‘prompt=select_account’ to be set when requesting azure like:

Is that possible to configure TIB to achieve that?

Thanks for providing more information. I asked internally and got a response that this is not possible with TIB.

Normally you get redirected to Azure, however, we cannot set that kind of params in the URL you are redirected to currently.

is it allowed to connect Tyk via curl or Postman if saml is enabled?

Thank you @Olu , that was my expectation also