We want to develop a mobile application which will be used by users in multiple organizations. Each of these organizations will have an Azure Active Directory tenant owned by them. We want to use Azure Mobile Services for authenticating users.
Once the user is authenticated and the mobile app has the JWT token, it will be subsequently sent to our API gateway to access various services.
Is is possible to use Azure mobile service Identity component in such a way that the app can authenticate against multiple Active Directory tenants? In other words can we create a multi-tenant mobile app which can authenticate against multiple Azure Active Directory tenants owned by different organizations?
Azure Active Directory does support development of multi-tenant web apps and there are sample applications available which demonstrates this capability. However is it possible to achieve the same functionality in a mobile app using Azure mobile services?
It is very much possible to build multi-tenant mobile apps backed by Azure Active Directory authentication. However, I doubt if Mobile Service will help here. Rather, I'll recommend creating a WebAPI project with AD authentication and consume those APIs in mobile apps. The samples that you've mentioned can be very much useful.
Related
I'm really struggling with these Azure AD concepts.
Here is my situation. I have a webapp with users belonging to Companies. I have a requirement that is to be able to authenticate those users through their Companies' Azure AD. Eventually, We would want to offer this in the Azure app gallery in the future.
I started registering the app through App Registration, which gives me the information to integrate using OIDC. We would like to support both, OIDC and SAML protocols (I see that there are apps in the gallery offering both).
I tested OIDC out and it's working correctly, but when I want to develop SAML integration, the documentation says that it has to be done using an enterprise application. I can't edit the SSO section of the enterprise app generated by my registration:
The single sign-on configuration is not available for this application in the Enterprise applications experience. MY APP was created using the App registrations experience.
so I tested creating a new enterprise app. Using this app I can do all the SAML flow correctly.
My questions here are:
Do I have to connect the registrated app with the enterprise app? How I do that?
Why I can't edit the SSO info in the enterprise generated app?
If it's done through the registration app. Where do I set up the SAML endpoints, certificates etc.?
By reading the docs, I understand that enterprise apps are like "an instance of a registered app". That leads me to think that I should configure all in the registered app, but I can't see how to support SAML.
As mentioned by #Srinath Menon in the above answer, If the application was registered using App registrations then the single sign-on capability is configured to use OIDC OAuth by default. In this case, the Single sign-on option won't show, For enterprise applications we have an option.
In both the ways applications are get registered in AAD, and there are two types of objects get created once the app registration is done.
The Application Object is what you see under App Registrations in AAD. The application object describes three aspects of an application: how the service can issue tokens to access the application, resources that the application might need to access, and the actions that the application can take.
. App Registration are basically the apps local to the tenant/organization.
The Service Principal Object is what you see under the Enterprise Registration blade in AAD. Every Application Object would create a corresponding Service Principal Object in the Enterprise Registration blade of AAD. A service principal is created in each tenant where the application is used and references the globally unique app object.
Enterprise apps blade shows global apps (other tenants) which can be configured and used within your tenant/organization.
Reference
Set up SAML-based single sign-on for an application
No, there is no specific reason to connect the 2 apps.
The reason for this is by default "App Registration" is wired for OIDC Auth. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-saml-single-sign-on
This need to be done from the Enterprise apps for any SAML related functionality.
I have two separate web applications, one built with .NET Framework and the other built with .NET Core. Both web applications make up one solution which we ship to our customers. The solution itself is a SaaS subscription-based solution, where users would be able to sign-up with using either a Microsoft/Office 365, GSuite, or organizational account (basic username/password). We would like to restrict sign-up to organizational/business accounts only.
As I understood, Azure B2B is mainly useful when you have something internal and you would like to give external users some limited access to it. Given that I have a multi-tenant SaaS solution, I believe that Azure B2C makes more sense.
Furthermore, in our solution, we would also want the ability for external users to access Tabular Models in Azure Analysis Services and SSRS.
Is access to only organizational accounts, something that can be configured through Azure AD B2C?
Can access be granted to external users to Azure Analysis Services or other Azure tools when using Azure B2C?
You have two options
Option 1, Using Azure AD External identities solution - recommended
You can use newly released self service sign up solution in Azure AD external identities . You can very well restrict sign up to other Azure AD accounts only. However for sign up using other federation systems - you need to try on. I think as of today only Google and Facebook are supported apart from Azure AD.
Option 2, use Azure AD B2C and use app only authentication.
Azure AD B2C consumer accounts are by default not supported by Azure services or Office. But you can use app based authentication to provide these services. Your client app will call your backend api using Azure AD B2C token. Your backend app can perform all auth validations and then call the backend Azure or any other service using app only authentication mode.
I am building a UWP app and .Net Core API. Both should be deployed at the customers' on-premises and authenticated with Azure Active Directory.
Is there a way to authenticate the users without registering the application manually (And specifying the client id and other variables)?
Is there a way to authenticate the users without registering the application manually.
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud based directory and identity management service. You have need to register the application, if you authenticated with Azure Active Directory.
For ADFS, you could refer to AD FS Scenarios for Developers, and it also need to register app at first.
I have a IONIC mobile application which using Azure Native App to authenticate Azure and Skype O365 Login.
For my tenant, app works just fine. Now I want my app to be work for multi tenant. How can I make my native app work for multiple tenant.
For Azure login I am using following cordova plugin.
https://github.com/AzureAD/azure-activedirectory-library-for-cordova
If you were using the common for the authority instead of specific tenant there is no need additional operations to work for the multi-tenant since the native app register on Azure portal support multi-tenant by default.
You can refer the document below:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern
We have an API, we planning to publish this API in the Azure marketplace under developer service. For authentication, we are planning to use developer service SSO (Single sign-on) in API. I googled this but can't find any useful link, please suggest some links
Azure AD B2C became generally available recently and it somehow offers what you are looking for. You can use local Azure identity and/or social account for your end users to authenticate with SSO support.
https://azure.microsoft.com/en-us/services/active-directory-b2c/
With that being said and although you can secure your Web API with AAD b2C as in this guide, your customers won't be able to call this WebAPI from their own applications as the calling app must be registered in the same Azure AD directory with the same application Id. This is a limitation that is mentioned here:
Note:
Azure AD B2C currently supports only web APIs that are accessed
by their own well-known clients. For instance, your complete app may
include an iOS app, an Android app, and a back-end web API. This
architecture is fully supported. Allowing a partner client, such as
another iOS app, to access the same web API is not currently
supported. All of the components of your complete app must share a
single application ID.
If the above limitation is OK with you, then you might also be interested in this Azure article to list your app in the Azure AD application gallery.