What is Azure AD & How to use Azure Active Directory?
Azure Active Directory (Azure AD) stands as an innovative cloud-driven identity as a service (IDaaS) solution, carving a path into the future of secure digital identity management. Operating as a fortified online repository, it not only houses individual user profiles but also orchestrates collections of user profiles into seamlessly integrated groups. This dynamic platform has been meticulously crafted to wield its authority in governing access to a spectrum of cloud-based applications and servers.
Azure AD distinguishes itself through its adept utilization of cutting-edge authentication protocols. These protocols include the robust Security Assertion Markup Language (SAML) 2.0, the versatile OpenID Connect, the authorization powerhouse OAuth 2.0, and the interoperable WS-Federation. Through the adoption of these modern authentication standards, Azure AD ensures that the access management landscape is not only secure but also aligned with the evolving needs of contemporary digital ecosystems.
In essence, Azure AD emerges as a pivotal force, harmonizing the delicate balance between robust security measures and the fluidity demanded by cloud-based applications. This platform is not merely a guardian of user identities; it is a forward-looking enabler, empowering organizations to navigate the complexities of the digital realm with confidence and efficiency.
What is Azure AD SSO?
What is SSO with Azure AD – Azure AD Single Sign-On (SSO) represents a distinctive feature within Azure AD, facilitating users in effortlessly accessing SaaS applications. This functionality empowers each user with a holistic entry to their requisite suite of applications, eliminating the need for repetitive logins into each distinct application. Azure AD orchestrates the generation of an access token, serving as a cryptographic key securely housed on the user’s device. These tokens boast a customizable expiration, introducing a time-sensitive dimension to their validity.
Multi-Factor Authentication Option in Azure AD
In the pursuit of bolstering security measures, Azure AD stands out by introducing the option to mandate multi-factor authentication (MFA). This fortified authentication method necessitates users to validate their identity through a combination of diverse factors, ranging from passwords and biometrics to verification codes. In essence, Azure AD’s commitment to security extends beyond the conventional, ensuring a multi-layered defense against unauthorized access.
Azure AD SSO Use case
Imagine a person who needs to use a business app at their workplace, and it’s located on the company’s own servers. To make things smoother, the company uses two systems: one on their premises called Microsoft Active Directory and another online called Azure AD. They’ve cleverly set up a mix of both by using Azure AD Seamless Single Sign-On (SSO) with the help of Azure AD Connect.
In this setup, the system on the premises (Microsoft Active Directory) and the online one (Azure AD) work together seamlessly. Thanks to Azure AD Seamless SSO, the person doesn’t have to remember different passwords. Instead, they can use the same login details they use at work to easily get into the business app through Azure AD.
Hybrid SSO authentication process
- The person types the business app’s address into their web browser while using a computer in the company office.
- They are taken to the Azure AD login page.
- On this page, the person enters their username.
- Azure AD then asks the web browser to show a Kerberos ticket.
- The web browser, in turn, requests a Kerberos ticket specific to the local Azure AD SSO account on the computer. This account is made in Microsoft Active Directory during the setup of Azure AD Seamless SSO.
- Microsoft Active Directory hands over the Kerberos ticket for the local Azure AD SSO account. It’s encrypted with a secret tied to that local account.
- The browser sends the encrypted Kerberos ticket back to Azure AD.
- Azure AD unlocks the Kerberos ticket using a shared key established during the initial configuration of Azure AD Seamless SSO.
- If the ticket is okay, Azure AD allows access and sends back an authentication token to the browser.
- Now, the person can log into the business app without having to type in their password again.
Azure Single Sign-On Options
Various methods exist to set up Single Sign-On (SSO) for applications, and the one you choose depends on how the specific application handles authentication.
For instance, cloud applications might utilize OAuth, OpenID Connect (OIDC), or SAML for authentication, whether SSO is turned on or off. In contrast, an on-premises application could rely on authentication through headers, passwords, IWA SSO, or linked SSO. If you’re dealing with on-premise options, it’s necessary to configure the application for Azure Application Proxy.
Azure AD supports Single Sign-On (SSO) through various authentication protocols, providing flexibility for different application scenarios:
1- OAuth/OpenID Connect: Opt for the OIDC option based on OAuth 2.0 for applications supporting this mechanism. Detailed information about these options is available in the OpenID Connect and OAuth 2.0 protocols. Additional insights can be found in the guide to OAuth flows.
2- SAML: This is the preferred choice for applications that don’t support OIDC/OAuth. The SSO SAML protocol furnishes details about this alternative. Further guidance is available in the guide to SAML.
3- Password-based SSO: Suited for applications with HTML sign-in pages, this method, known as password vaulting, empowers administrators to manage users’ access permissions and passwords for web apps lacking federated identities. It proves useful for handling a single account shared by multiple users (e.g., a social media account). Password-based SSO accommodates applications with multiple sign-in fields, offering customization for field labels beyond the standard username and password.
4- IWA SSO (Integrated Windows Authentication): Utilize single sign-on with Integrated Windows Authentication for applications employing IWA or claims-aware.
5- Header-based SSO: This option is suitable for applications relying on headers for authentication.
6- Linked SSO: Employ the linked SSO method for applications configured for single sign-on in a third-party identity provider. This allows administrators to configure the target location when users select an application in the organization’s portal. Links to custom web applications already using identity federation (e.g., Active Directory Federation Services) can be added. It’s also possible to add links to specific web pages appearing on the user’s access panel. However, this option doesn’t support SSO functionality using Azure AD user credentials.
7- Disabled SSO: An admin may choose to disable SSO if the application isn’t ready for SSO configuration.
Setting up Azure AD Single Sign-On (SSO)
How to Set Up Azure AD SSO, Setting up Single Sign-On (SSO) in Azure AD involves several steps. Below is a high-level overview of the key step.
How to configure SSO with Azure Active Directory.
Step 1: Set Up the Prerequisites
Setting up Single Sign-On (SSO) in Azure AD typically begins with configuring the prerequisites. Here are the key steps for this initial phase:
- Azure AD Subscription:
- Ensure you have an active Azure AD subscription. If not, sign up for Azure AD and create a new directory if needed.
- Administrative Access:
- Have administrative access to the Azure portal with the necessary permissions to configure SSO settings.
- Application Access:
- Identify the application for which you want to set up SSO. Make sure you have access to the application’s configuration settings or admin console.
- Application Integration Support:
- Verify that the chosen application supports SSO integration with Azure AD. Review the application’s documentation or contact the vendor for compatibility information.
- Authentication Method:
- Decide on the authentication method for SSO (e.g., SAML, OAuth, OpenID Connect). The method may depend on the application’s capabilities and requirements.
- User Attributes and Claims Mapping:
- Understand the user attributes and claims required by the application. Plan how these attributes will map between Azure AD and the application during the SSO process.
- Network and Firewall Configuration (if applicable):
- If the application is hosted on-premises, ensure that network and firewall configurations allow communication between Azure AD and the application.
- Secure Connection (HTTPS):
- Ensure that the application supports a secure connection (HTTPS) for SSO. This is a common requirement for secure authentication.
- Application URL and Sign-Out URL:
- Gather the application’s URL and sign-out URL. These will be needed during the SSO configuration process in Azure AD.
- Review Documentation:
- Review the Azure AD documentation specific to the chosen SSO method and the documentation provided by the application vendor.
- Communication Plan:
- Plan for communication with end-users. Inform them about the upcoming SSO implementation, any changes they might experience, and provide relevant training or documentation.
By completing these prerequisites, you establish a solid foundation for the subsequent steps in configuring SSO in Azure AD. Each application and SSO method may have specific requirements, so be sure to consult the documentation for detailed guidance.
Step 2: Enable the SSO Feature in Azure AD
This step involves enabling seamless SSO via Azure AD Connect. If freshly installing Azure AD Connect, select the custom installation option. Select Enable single sign-on on the User sign-in page.
Image Source: Azure
If Azure AD Connect is already installed, go to Change user sign-in in Azure AD Connect and choose Next. The default selection is Enable single sign-on for versions 1.1.880.0 and up of Azure AD Connect. For older Azure AD Connect versions, it is necessary to select this option explicitly.
Step3 – Use the following steps to verify that seamless SSO is working correctly.
- Log in to the Azure AD admin center using the main admin credentials.
- Click on “Azure Active Directory” on the left side.
- Select “Azure AD Connect.”
- Verify that the “Seamless single sign-on” option is marked as Enabled.
Image Source: Azure