Claim augmentation with Azure AD authentcation - azure

"I have an application where I have users authenticated with multiple directories all federated using a ADFS. There is a central ADFS that does the federated and routing to the correct IDP. Most IDP are ADFS that add claims to the SAML token by using the normal ADFS rules. We now have some customers that want to use Azure AD as IDP, but this seems not to allow to add claims like ADFS.
 
What would be the way to add custom claims to a saml token using Azure AD?"

You can do this by adding your application in Azure AD Directory Portal via the Application Gallery. This gives you the opportunity to add claims to the outgoing SAML Token.
If you have Azure AD Premium you can add your own application (that accept SAML 2.0) and configure the extra claims via the "Attributes tab"
If you or your customers do not have Azure AD Premium you will have to have you app added to the Azure AD Application Gallery. The process for this is described in https://azure.microsoft.com/en-us/documentation/articles/active-directory-app-gallery-listing/

Related

Azure AD B2C and on-premise Active Directory

We have the following scenario:
an Angular app accessing a Web Api backend
our own user database
We are planning to use a third-party identity solution such as Azure AD B2C, AWS IAM or Auth0. To my surprise, I found that Auth0 has an integration with on-premise Active Directory, but Azure AD B2C seems not to support this (at least not that I could find out)
We want to get to the following scenario:
an Angular app accessing a Web Api backend
third-party identity solution that manages the users of the angular app (preferably Azure AD B2C)
users need to authenticate via the identity solution (e.g. using a social account)
some users are in an existing on-premise AD and also need to be able to access the angular app
So my problem basically is : if we would use Azure AD B2C, how can we let users that are defined in an on-premise AD, authenticate in our Angular app? Or with other words: can an on-premise AD be an identity provider for Azure B2C?
This scenario can be solved with AD B2C custom policies.
I found that Auth0 has an integration with on-premise Active
Directory, but Azure AD B2C seems not to support this (at least not
that I could find out)
One way I know to make this work through ADFS. Where you can Integrate ADFS in B2C. I will update this answer if I know any other way of doing this.
Update Start
You can use Shibboleth and Okta servers apart ADFS server.
Update End
users need to authenticate via the identity solution (e.g. using a
social account) some users are in an existing on-premise AD and also
need to be able to access the angular app
If you use custom policies, you can achieve all of these scenarios. You can integrate both social accounts and AD via ADFS (On Premise ADFS server which give access to On Premise AD users)
if we would use Azure AD B2C, how can we let users that are defined in
an on-premise AD, authenticate in our Angular app? Or with other
words: can an on-premise AD be an identity provider for Azure B2C?
As I said this is possible through ADFS server. All you need to do is enable ADFS service on your server and add Relying Parties and make B2C consume and allow your AD users to login with B2C.
Warning: If at all your server not have ADFS enabled first try it on other test server.
ADFS in custom policies can found at: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp

How does Azure Active Directory support federation with Okta as an IDP?

Is it possible to integrate Okta as an IDP (Identity Provider) for an application in Azure, where Azure would be the Service Provider?
Presently the authentication is managed by Azure AD, we have AD users that have been granted access to these applications hosted in Azure, and Use ADAL for logging in users, and obtaining tokens for securing API calls to the Backend APIs.
Can Okta be added as an IDP and added to the AAD, through SAML or WS-Federation?
Yes, OKTA is listed as one of the third-party IDPs in the Azure AD federation compatibility list which can support federation with Azure Active Directory (AAD).
The supported scenario matrix is listed here.
Hope this clarifies your doubt.

Adding Claims to a SAML token usign Azure AD Single SingOn

We have an application that uses multiple IDP for authentication. We receive a SAML token with some extra claims where we authenticate on. We also want to use Azure AD as a trusted IDP, but how can our customer add the required claims to their returned SAML token?
There is no option to add claims to the Azure AD generated SAML token. To do this you have to add your application to the Azure AD Application Gallery. For Azure AD premium user this can be done for your own applications that accept SAM.
For non Azure AD premium user you have to add your application to the Azure AD Gallery, see https://azure.microsoft.com/en-us/documentation/articles/active-directory-app-gallery-listing/.

federate azure active directory with on premise ADFS

I'm trying to federate on premise ADFS 3.0 instance with Azure Active Direcotry instance. The idea is to allow AAD (azure) users to authenticate to an application which trusts the ADFS instance.
I added azure AD to claims provider trusts in ADFS (using it's federation metadata document path)
then I create an application in AAD which has identifier of the ADFS (e.g. https://fs.somedomain.com/adfs/services/trust
ADFS instance then correctly displays AZURE as special realm.
The only thing I can't figure out is what should be the reply url in azure application settings, so the ADFS instance redirects authenticated request to correct application.
It's the normal adfs/ls.
You just need to configure the URL and URI.
Refer: Azure AD as IdP with AD FS as RP.

Connecting ADFS to Windows Azure Active Directory

We are developing a multi-tenant application and would like to be listed on Azure and support Azure AD as an IdP for our customers. However, a few customers that already have ADFS 2.0 setup didn't like the idea of sync'ing all accounts and passwords to Azure AD. So, is there anyway that when Azure AD receives a login request, somehow, have it redirect to ADFS and let ADFS do all the magic and return a token back to Azure AD which then returns JWT (using OpenID Connect) to our application?
I know that ACS supports such scenario but we are worried that Microsoft would soon drop support for it.
Thanks!
This document details how your customers can federate their ADFS instance with Azure AD:
https://technet.microsoft.com/library/dn550987.aspx

Resources