Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authenticate web application agains multiple azure ad?

I am thinking about developing in general a web application for enterprise. What i am thinking about is following scenario:

The application should be able to serve multiple customers (called multitenancy?). That means that multiple companies could use the software for their employees.

Each of them could have a own azure ad or maybe not. Therefore i would like to know if it is possible to authenticate against multiple/different azure ad's?

Lets assume that a user types in his email address [email protected] then i would try to authenticate him against the ad whihc is configured behind the companyA.com ad, when someone tries to login with [email protected] then i would try to authenticate against azure ad which is configured for companyB.com.

Is this possible? How could i do this?

like image 710
STORM Avatar asked Feb 18 '17 14:02

STORM


1 Answers

That is the exact reason why multi-tenant applications exist. So a user from any Azure AD can sign in to your application.

The way it works is like this:

  1. You define the application in your Azure AD tenant, including any permissions it might require (like ability to read data from the Azure AD Graph/access user's OneDrive through Microsoft Graph etc.)
  2. When defining the app, set it as multi-tenant.
  3. Now when a user from another organization tries to sign in to your app, they will be presented with a consent screen. This screen describes your application and the permissions it requires on their directory.
  4. Once they give their consent for the permissions the app requires, a service principal is created for the app in their directory. This principal is sort of like an account for the application that now exists in their directory.
  5. They will then be forwarded back to your app.

There are a couple important things to note on your app's side:

  1. You must redirect users to login at https://login.microsoftonline.com/common/oauth2/authorize instead of the tenant-specific endpoint.
  2. With OpenIDConnect middleware in ASP.NET MVC, you must turn off issuer validation, and do it a bit manually (you have to check the tenant has actually signed up before)

More about single vs multi-tenant: http://www.andrewconnell.com/blog/azure-ad-what%E2%80%99s-the-difference-between-single-vs-multi-tenant

Example multi-tenant app (ASP.NET MVC): https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect

like image 130
juunas Avatar answered Oct 22 '22 18:10

juunas