Authenticating to multiple active directory domains

We have a requirement to authenticate users in separate Active Directory forests to the same SAML application. The DAG does not support multiple forests so I built an identical DAG under a different FQDN for the 2nd domain. When configuring the 2nd DAG, the entityID is using the new FQDN so the SAML authentication is invalid.
How can I configure the 2nd DAG to send SAML assertions using the primary DAG’s entityID, but still allow users to connect to it using the new FQDN? In the config file I am able to set the baseurlpath to the primary server, but then this breaks the ability for a user to log into it. Is there a setting in the config file for just the entityID? Will that even make things work if I can change it?

Hello ITMonkey, I kind of had the same chellange when I had to synchronize users from different AD forrests using the Duo Authentication Proxy. The solution was to point the Authentication Proxy to the AD global cataloge server instead of an individual forrest AD server, be aware, that the global cataloge is using a different port (3268 instead of 389/636).

I would give it a try to configure the global cataloge as the identity source within your Access Gateway and see if you can authenticate users from different forrests.