Azure AD as an Identity Provider

Let’s take a quick look at Azure Active Directory (AAD) in the identity provider role. Anyone using Office 365 , be it logging on with a standard account or a federated one, utilizes an Azure AD identity, with the latter brokering access to Office 365 resources.

What happens when we wish to connect our own SaaS/web applications to  the Azure AD world? Well, Windows Azure brokers a number of identity-based technologies to support such requirements. As a means of illustrating this, we’ll show an example using Azure AD as a SAML 2.0 Identity Provider (IdP), connecting up to a basic web application using a pHP-based SAML Service Provider: simpleSAMLphp.

We login to our Azure tenant (Azure Service Manager). Scroll down to the Active Directory icon.

2016-04-27_11-34-58

On the directory tab, click on the organization and then the Applications tab.  From the bottom of the screen, create a new application by clicking on the Add icon.

2016-04-27_11-35-18

Select Add an application my organization is developing.

2016-04-27_11-35-32

Give your SaaS/Web application a name (e.g. simpleSAMLphp Demo).  Using the radio button, select the type of application. Since this is a SAML-P application using the browser, we need to select the Web Application / Web API  option.

2016-04-27_11-35-43

Click on the arrow. Enter the details for your SAML application.

2016-04-27_11-35-54

For Sign-On URL fill in the Assertion Consumer Service (ACS) URL for the Service Provider (simpleSAMLphp). We’ll revisit these settings in a  moment. For the App-ID URI, the Identifier or Entity ID of the SAML Service Provider is expected.

Here’s an example using our  simpleSAMLphp application.

2016-04-27_11-36-12

Here we’ve gone back and changed the Sign-On URL to the base URL of the SimpleSAMLphp admin page. This is where (for the test) we want to send users to when accessing the “application”. It’s the Reply URL which is the address to which Azure AD will send the SAML authentication response. Further down in the application configuration in Azure Manager, we see the Single Sign-On settings.

2016-04-27_11-36-26

Here are the actual settings used, albeit with a dummy URLs.

Sign-On URL

https://saml.mydomain.com/login

Reply URL

https://saml.mydomain.com/login/module.php/saml/sp/saml2-acs.php/default-sp

App URI (Identifier)

https://saml.mydomain.com/login/module.php/saml/sp/metadata.php/default-sp

On the Service Provider side, the metadata from the tenant) Azure Identity Provider needs to be parsed and added to the SimpleSAMLphp configuration file (saml20-idp-remote.php). This is done by downloading the Azure IdP metadata file directly, e.g.

https://login.microsoftonline.com/<AzureTenantID/federationmetadata/2007-06/federationmetadata.xml

Connect to the simpleSAMLphp web administration interface. From the federation tab, select the XML to simpleSAMLphp metadata converter.

2016-04-27_11-36-41

Cut and paste the Azure XML document from the tenant into the simpleSAMLphp web browser, convert the text and then copy to the clipboard. This text can be then appended directly to the saml20-idp-remote.php file.

Here’s an example. Replace the Azure Tenant ID with your own ID accordingly.

$metadata['https://sts.windows.net/<Azure Tenant ID>/'] = array (
  'entityid' => 'https://sts.windows.net/<Azure Tenant ID>/',
  'contacts' =>
  array (
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://login.microsoftonline.com/<Azure Tenant ID>/saml2',
    ),
    1 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://login.microsoftonline.com/<AzureTenantID>/saml2',
    ),
  ),
  'SingleLogoutService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://login.microsoftonline.com/<Azure Tenant ID>/saml2',
    ),
  ),
  'ArtifactResolutionService' =>
  array (
  ),
  'keys' =>
  array (
    0 =>
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => '<CERTIFICATE>',
    ),
  ),
);

Testing Authentication

From the Azure Application Portal, we can access the new test application.

2016-04-27_11-36-57

From them we’re taken to the simpleSAMLphp administration page (https://saml.mydomain.com/login)

Within simpleSAMLphp we can select our identity provider for logon (Azure AD)

2016-04-27_11-37-08

Click on the Select button to initiate the logon process.

2016-04-27_11-37-17

Logon with your Azure AD credentials to the application and we’re returned to the simpleSAMLphp landing page.

2016-04-27_11-37-33

Since Azure is brokering the connection with the application, this process also extends to using ADFS where the domain is federated. Azure performs the necessary realm discovery and routes the  user to their home domain.

With these and a number of services, Azure offers a solid convergence point for brokering connections with your web applications and workspaces. It’s a rapidly evolving space, so stay tuned…

If you’d like to know more or on how you can implement this and related technologies within your own  environment, please contact us. We’ll be happy to assist.

4 thoughts on “Azure AD as an Identity Provider

  1. Hi, where can I download the simpleSAMLphp application? I am looking to do some tests in my lab and I’d like to know if there are some apps out there similar to the one you demonstrate. thanks!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s