I want to integrate SSO in my client's azure AD with a 3rd party enterprise application.
We dont have access to the backend of the 3rd party appliction which is basically a SAAS. So the 3rd party app team asked us to setup SSO in azure ad portal and share with them the signin url and IDP metadata.
Which option I should choose in azure ad portal to do this:
enterprise application or app registration?
The way you can add your application to azure ad is completely depending on the SSO type you are using for your application.
If the application was registered using App registrations, then the single sign-on capability is configured to use OIDC OAuth by default.
If you register through Enterprise application, you will be having option to setup SAML based, password based authentication types.
Here is the reference doc to setup SAML based SSO SAML based SSO
If you want to setup OIDC based SSO you can use this OIDC SSO
Quickstart
Many apps have already been pre-configured to work with Azure AD. These apps are listed in the gallery of apps that you can browse when you add an app to your Azure AD tenant.
Here is the reference for integrating SAAS application with azure ad SAAS App integration.
Related
I have a multi tenant enterprise app. It authorises a few graph API permissions when installed and has SAML SSO configured. The whole idea is that my customers can install this and in one process grant my application access to their tenant, and setup SSO for that customers users.
The graph API permissions work totally as expected, I get the needed access to the tenants who installed the app.
Then there is the SAML SSO part. That's just totally not working. In my test tenant where I installed my app, it says that the app has SAML SSO and that it is only application owner who can configure - all fine.
I then try to log in (to the web app using this SSO configuration) with a user from my test tenant - no luck!
First I thought that it had to do with the user not being assigned the app, but it complains the the application in tenant A is not available for user in my test tenant and the user should be added to tenant A. That of course is not a solution since I want to use this for customers.
So right now I am stuck with 2 app's. One gallery app for SAML SSO and my app granting API permissions. It works, but it just seems SO stupid. Isn't there a better way?
Azure AD SAML applications are not intended to be multi-tenant, this is why you need to invite external users as guests.
It's worth to mention it's possible for an Azure AD app to support both OIDC/OAuth2 and SAML and thus rely on the same session cookie to obtain an access token for MS Graph.
If you need multi-tenancy, you should use modern protocols such as OpenID Connect for authentication and OAuth2 for authorization. MS Graph relies on JWT access token anyways.
We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow
Scenario:
(Azure-hosted) Web App. Users should be able to sign in to my app using a Microsoft Account (i.e. #live.com, #hotmail.com, etc accounts) that has one or more Azure subscriptions. The application would then allow them to view and manage their Azure resources in specific ways through my app.
Points of confusion/frustration:
ADAL vs MSAL for authentication
Azure AD vs Azure AD B2C for the tenant hosting the application
Where do you register the tenant app? In the AD B2C under "App Registrations"? In a regular AD under "App Registrations (Preview)"? On the App Registration Portal (i.e. apps.dev.microsoft.com)?
Which of the above client ID & secret do you use in the web app (in the .config file)?
The documentation for none of these seem to cover the scenario end-to-end and most of it is completely out of sync with other developments.
I am hoping here to get some point of guidance from other developers that have actually gone through this journey themselves (rather than folks that just read the documentation). In specific, I am hoping to get answers from the Azure CXP team that monitors these questions and provides official & supported answers.
Your scenario requires access to Azure APIs, thus you have to make the logins against "regular" AAD, not B2C.
You can't make your logins against MSA accounts directly as they must be members of an AAD to have access to subscriptions.
You can use either ADAL or MSAL to handle the authentication.
Note you must use v2.0 endpoint for MSAL and the "v1" endpoint for ADAL.
See limitations of the v2 endpoint here: https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison.
You register it under Azure portal -> Azure Active Directory -> App registrations.
You can also use the preview version if you want.
You will need the application id (= client id) + a key (secret) from the app registration.
Attempting to use the following Microsoft Graph API call:
https://graph.microsoft.com/beta/applications/
To create a new Azure AD B2C Application. Is this supported?
Apps created using https://graph.microsoft.com/beta/applications/ endpoint are listed on Azure Portal -> Azure AD B2C -> Applications but portal is not able to load B2C app details when we click on the app. There appears to be some difference between how app is created from Azure Portal UI and Graph API.
Calling that endpoint will not work. The applications created within the B2C blade are different to the ones created within the AD Blade (Which is what that beta endpoint uses).
From my understanding, Applications created within the B2C Blade are created as part of the trust framework not part of your AD Tenant.
We have an instance based web app on IIS which uses active directory for authentication.
This web app has an external public web address for remote users to work with.
OKTA provides Active directory integration which sync directory and provide SSO for users inside the active direcory domain.
But for remote users as far as i know OKTA can provide SSO through their SWA (secure web application) type of application but which means using a browser plugin from OKTA for remote users.
Is there any other way for us to authenticate from active directory
for remote users through SAML or WS-FED using OKTA?
Okta supports SAML 2.0 for this use case. Please reference the documentation at https://support.okta.com/pkb_Home?q=SAML&l=en_US for details on how to configure this.
Also note that there's a sample app demonstrating SAML integration via the Spring framework (if the app in question is Java-based). http://developer.okta.com/docs/examples/spring_security_saml.html