Using both Azure AD and Azure AD B2C to authenticate with SSO - azure

My Azure web application will have both internal and external users. The requirements regarding authentication are:
Internal users authenticate with their domain accounts (with SSO)
External users authenticate through Azure AD B2C (we need to create accounts for them)
How can I set up such scenario?
Regards
George

If your internal users are using Azure AD - simple - you add your corporate AAD as Identity provider to your B2C.
There are various ways to do this. So start here.
If your internal users do not have Microsoft 365 (Azure AD), and you only have on-premises AD DS infrastructure - ... move to Cloud, things will be so much easier. If not, you need at least ADFS, then you can hook up ADFS as Identity Provider in your B2C.
There is no way to make Windows Integrated Authentication and Claims Based authentication at the same time for the app.

Related

SSO With Azure Active Directory or ADFS or AD

Newbie to Microsoft SSO Authentication.
Have metadata, pubic cert and login url and Azure AD identifier and entityid.
When I was going through this SAML2.0 i see diff types of auth strategies like Federation Services, ADFS, Active Directory, Azure Directory... Getting confused and trying to visualize the type of authentication these details support.
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-nodejs-webapp-msal
Can somebody point me what type of authentication that we can provide with below details ?
metadata, pubic cert and login url and Azure AD identifier and entityid.
Regards,
likki.
We install adfs on Windows Server operating systems. It extends on-prem identities managed within AD to cloud applications through both SAML and OAuth. AD FS is meant for on-prem environments and does not authenticate through Azure infrastructure; it only authenticates against Active Directory.
AAD mainly serves as a cloud-based user management, as well as offers SSO capabilities for web applications. In fact, it authenticates users to their applications in much the same way as AD FS. The difference is that AAD authenticates via the cloud and AD FS authenticates on-prem. 
Federation - When you set up SSO to work between multiple identity providers, it's called federation. An SSO implementation based on federation protocols improves security, reliability, end-user experiences, and implementation.
With federated single sign-on, Azure AD authenticates the user to the application by using their Azure AD account. This method is supported for SAML 2.0, WS-Federation, or OpenID Connect applications. Federated SSO is the richest mode of SSO. Use federated SSO with Azure AD when an application supports it, instead of password-based SSO and Active Directory Federation Services (AD FS).
So, if you want authenticate with cloud users you can go with azure ad or else if you want to use your on-premise user identities authenticate users for the application you can go with ADFS.
You can find more information here What is single sign-on? - Azure AD | Microsoft Docs

Azure AD B2C and on-premise Active Directory

We have the following scenario:
an Angular app accessing a Web Api backend
our own user database
We are planning to use a third-party identity solution such as Azure AD B2C, AWS IAM or Auth0. To my surprise, I found that Auth0 has an integration with on-premise Active Directory, but Azure AD B2C seems not to support this (at least not that I could find out)
We want to get to the following scenario:
an Angular app accessing a Web Api backend
third-party identity solution that manages the users of the angular app (preferably Azure AD B2C)
users need to authenticate via the identity solution (e.g. using a social account)
some users are in an existing on-premise AD and also need to be able to access the angular app
So my problem basically is : if we would use Azure AD B2C, how can we let users that are defined in an on-premise AD, authenticate in our Angular app? Or with other words: can an on-premise AD be an identity provider for Azure B2C?
This scenario can be solved with AD B2C custom policies.
I found that Auth0 has an integration with on-premise Active
Directory, but Azure AD B2C seems not to support this (at least not
that I could find out)
One way I know to make this work through ADFS. Where you can Integrate ADFS in B2C. I will update this answer if I know any other way of doing this.
Update Start
You can use Shibboleth and Okta servers apart ADFS server.
Update End
users need to authenticate via the identity solution (e.g. using a
social account) some users are in an existing on-premise AD and also
need to be able to access the angular app
If you use custom policies, you can achieve all of these scenarios. You can integrate both social accounts and AD via ADFS (On Premise ADFS server which give access to On Premise AD users)
if we would use Azure AD B2C, how can we let users that are defined in
an on-premise AD, authenticate in our Angular app? Or with other
words: can an on-premise AD be an identity provider for Azure B2C?
As I said this is possible through ADFS server. All you need to do is enable ADFS service on your server and add Relying Parties and make B2C consume and allow your AD users to login with B2C.
Warning: If at all your server not have ADFS enabled first try it on other test server.
ADFS in custom policies can found at: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp

How does Azure Active Directory support federation with Okta as an IDP?

Is it possible to integrate Okta as an IDP (Identity Provider) for an application in Azure, where Azure would be the Service Provider?
Presently the authentication is managed by Azure AD, we have AD users that have been granted access to these applications hosted in Azure, and Use ADAL for logging in users, and obtaining tokens for securing API calls to the Backend APIs.
Can Okta be added as an IDP and added to the AAD, through SAML or WS-Federation?
Yes, OKTA is listed as one of the third-party IDPs in the Azure AD federation compatibility list which can support federation with Azure Active Directory (AAD).
The supported scenario matrix is listed here.
Hope this clarifies your doubt.

Azure AD, B2B, and Shibboleth Integration

My organization has our own custom software solution hosted as a Web App in Azure. We are utilizing Azure AD for our authentication security. Some of our customers may have their own Office365 AD tenants, and so we take advantage of the B2B capabilities to invite these users to our apps and have some visibility of their accounts in our AD tenant (as external users).
We have one customer who would like for us to integrate with their Shibboleth service. We would like to support using their Shibboleth service as the identity provider for their users, and allow their MFA settings to be honored. We don't want to force them to create new identities in AD. What would be needed on our side to support this sort of trusted federation with Shibboleth? Ideally we'd like to be able to see their identities surfaced as external users in our AD tenant so that we're using a single security model for our app.
Azure AD's only equivalent for "trust" or "federation" with others is, as you've been doing, via B2B. Currently there is no B2B-like equivalent that supports direct federation to non-Azure AD IdPs.
However it is possible to set up Azure AD so that it leverages a third party IdP as its primary auth mechanism.
You should be able combine these two approaches to achieve what you want.
Have your customer sign-up for Azure AD
Have your customer configure Shibboleth as per the steps in this article: https://msdn.microsoft.com/en-us/library/azure/jj205456.aspx
Add your customer's users to your Azure AD via B2B as you've been doing for everyone else.

Connecting ADFS to Windows Azure Active Directory

We are developing a multi-tenant application and would like to be listed on Azure and support Azure AD as an IdP for our customers. However, a few customers that already have ADFS 2.0 setup didn't like the idea of sync'ing all accounts and passwords to Azure AD. So, is there anyway that when Azure AD receives a login request, somehow, have it redirect to ADFS and let ADFS do all the magic and return a token back to Azure AD which then returns JWT (using OpenID Connect) to our application?
I know that ACS supports such scenario but we are worried that Microsoft would soon drop support for it.
Thanks!
This document details how your customers can federate their ADFS instance with Azure AD:
https://technet.microsoft.com/library/dn550987.aspx

Resources