We are using Azure AD w/SAML to authenticate our user's access to SFDC. When we set up the Azure Enterprise App for the Sandbox, everything works perfectly. Users can find the Sandbox app under the App Launcher in O365, click and they are in. Log out from either O365 or Sandbox, and both log out.
Now that we are moving on implementing SSO on the Production Org, almost everything works as needed. They can find the app under the app launcher, and click on it, but it brings them to the Salesforce login screen where they need to then click the SSO login option. Everything else works fine.
From what I can tell, there is a difference between the 2 Microsoft provided Apps in Azure, they both have a field called "Sing on URL" under the basic SAML configuration, however, it is blank (and not required) on the Sandbox app, and is required on the Production app. Even though the instructions state that it can be ignored.
In the attached image, the green box is not required for the Sandbox app, and is blank.
Can the sandbox app be used for production? Any ideas on how to implement this without setting that Sign on URL value?
