I have a SAML 2.0 based Single Sign On working with Pingfederate, wso2 Identity server as well as ADFS. Its also working with Azure AD SAML 2.0 fedration. But I need to have my own setup to incorporate the recent changes by Azure on using multiple certificates for signing it responses which they claim to change dynamically.
Please point me to a quick setup resouce on this as I am new to Azure.
As per this,
Tutorials for integrating SaaS applications using Azure Active Directory
Configuring SAML based single sign-on for non-gallery applications
Your application may already be in the gallery (marketplace) in which case there will be a script or the latter provides instructions to do it manually via Enterprise applications.
Related
I am a bit new to Azure AD and some of its features. I have a vendor application that wants to setup authentication & single sign on using our Azure Active Directory. The documentation they provided me with just walks through adding Azure AD SAML Toolkit as the enterprise application and configuring it accordingly. However, I noticed immediately that the description for that enterprise application was "This is the sample SAML app which customers can use to test the SAML single sign-on integration with Azure AD."
My question is, shouldn't a vendor application have setup an enterprise application for me to add to our Azure tenant or is it common and good practice for applications to use the Azure AD SAML Toolkit for production implementations?
So far I have found no reason documented that this is bad practice. We have implemented it for the vendor application and have had no issues up to this point.
There doesn't appear to be much information available on developing a custom Azure Active Directory Enterprise Application. Is the developer information available anywhere?
e.g. develop an application that will appear in the list of Enterprise Applications in the Azure Active Directory gallery and that, once developed (in C#), allows SSO and provisioning of an external system, based on users and groups in Azure Active Directory
If you want to publish your app to azure ad gallery, you submit your request for access in the Application Network portal and implement SSO by using the federation protocol or by using the password SSO and request for user provisioning.
For more details of these steps, you can refer to this tutorial about how to publish the app to azure ad gallery. In this tutorial, there are also some links which may help you on how to do the development(such as integrate your application with Azure AD by using the Open ID Connect protocol, how to support SAML 2.0 and so on).
Is SAML authentication possible in Azure Web Apps? If possible, how can I configure Azure AD for SAML authentication? I tried finding a solution but the only Microsoft documents I've found regarding this is https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/saml-toolkit-tutorial . The problem within the document is that it doesn't specify any code related information
Yes - you need two things.
The application needs a client-side stack.
Azure AD has to be configured as an Enterprise application.
I am trying to set IS4 as Identity Provider.
The first thing I tried was to create a federation trust between Azure AD and the domain where I hosted my IS4. once federated by using the "Get-MsolDomainFederationSettings" command in PowerShell I got values for the following parameters:
I have found the following "solution", that also comes with this documentation, but it is a paid solution, and I am looking for a free option.
Should I use standard protocols, e.g. OpenID Connect, WS-Federation or SAML2p, and how can this be configured?
Based on the question and clarifying comments here the answer as of today:
You cannot achieve the required target architecture as of today. Today the only officially supported federation for Azure AD is ADFS over WS-Federation protocol and Ping Federate as preview. There is an official documentation describing the federation options with Azure AD.
There have been some tests in the past, but there is nothing officially supported beside the two options mentioned.
Looking at SSO, you can however look at the other side of the things:
You have IdentityServer and already some applications registered for it
You want SSO for Azure (O365) users to this applications
You can achieve what you want in the following manner:
You continue using Identity Server for your apps
You configure an external provider for your Identity Server as described here
What you certainly cannot achieve is:
Making Azure (Azure AD) authenticate users over Identity Server (at least not in a supported way!)
Azure AD can only be used as an endpoint as per #astaykov.
It can be an STS but it cannot be a R-STS i.e. it cannot be an intermediate step.
The solution described above is a paid solution because it uses the RSK SAML stack.
However, you could follow the same steps using the Sustainsys .NET Core option which is free.
I have configured the Azure AD Authentication for my asp.net core project using the services of "Microsoft.AspNetCore.Authentication.*" packages. The project is expected to be deployed to Azure App Service as a Web App.
While I enabled Azure AD authentication, I also see there is an option to enable the same at the Web App level through Application Settings on Azure Portal.
I have question around which option is recommended. I do see when I don't leverage Azure AD authentication configured via nuGet packages, I don't have OpenId connect service plugged into the StartUp.cs file. And I think these services are pivotal in populating the authentication properties like User.Identity.Name. On the other hand with just portal enabled authentication, I don't see this information populated. So, I presume if I want to do further work with logged in user's identity, like leveraging current claims information for authorization, I won't be able to achieve that with portal only authentication.
Your assessment is basically correct. The portal-enabled authentication runs completely outside your application and isn't capable of setting User.Identity.Name when using .NET Core (that level of integration only works with ASP.NET 4.x).
My recommendation is to use the ASP.NET Core NuGet package so you can get the full integration. It's a lot more work to set up, but once you get it working you should be in good shape and get the full end-to-end experience you want.
If you are interested in using the portal-enabled Azure AD authentication support, then take a look at this StackOverflow question to learn how you can get it to work with User.Identity.Name.