The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
Difference between Existing Single Sign-On and Password Single Sign-On RRS feed

  • Question

  • Can someone help me understand below terms with simple example? This is related to Azure Active directory

    1. Existing Single Sign-On with identity provisioning
    2. Password Single Sign-On with identity provisioning
    3. Existing Single Sign-On without identity provisioning
    4. Password Single Sign-On without identity provisioning


    Many Thanks Deepak

    Sunday, July 3, 2016 1:04 PM

All replies

  • Hello,

    We are checking on the query and would get back to you soon on this.

    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,

    Monday, July 4, 2016 5:35 AM
  • Hello Deepak,

    • Password-based Single Sign-On enables secure application password storage and replay using a web browser extension or mobile app. This leverages the existing sign-in process provided by the application, but enables an administrator to manage the passwords and does not require the user to know the password.

    • Existing Single Sign-On enables Azure AD to leverage any existing single sign-on that has been set up for the application, but enables these applications to be linked to the Office 365 or Azure AD access panel portals, and also enables additional reporting in Azure AD when the applications are launched there.

    Once a user have authenticated with an application, they also need to have an account record provisioned at the application that tells the application where there permissions and level of access are inside the application. The provisioning of this account record can either occur automatically, or it can occur manually by an administrator before the user is provided single sign-on access.

    More details on these single sign-on modes and provisioning below.

    Federated Single Sign-On

    Federated Single Sign-On enables sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Azure AD using the user account information from Azure AD.

    In this scenario, when you have already been logged into Azure AD, and you want to access resources that are controlled by a third-party SaaS application, federation eliminates the need for a user to be re-authenticated.

    Azure AD can support federated single sign-on with applications that support the SAML 2.0, WS-Federation, or OpenID connect protocols.

    See also: Managing Certificates for Federated Single Sign-On

    Password-based Single Sign-On

    Configuring password-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Azure AD using the user account information from the third-party SaaS application. When you enable this feature, Azure AD collects and securely stores the user account information and the related password.

    Azure AD can support password-based single sign on for any cloud-based app that has an HTML-based sign-in page. By using a custom browser plugin, AAD automates the user’s sign in process via securely retrieving application credentials such as the username and the password from the directory, and enters these credentials into the application’s sign in page on behalf of the user. There are two use cases:

    1. Administrator manages credentials – Administrators can create and manage application credentials, and assign those credentials to users or groups who need access to the application. In these cases, the end user does not need to know the credentials, but still gains single sign-on access to the application simply by clicking on it in their access panel or via a provided link. This enables both, lifecycle management of the credentials by the administrator, as well as convenience for end users whereby they do not need to remember or manage app-specific passwords. The credentials are obfuscated from the end user during the automated sign in process; however they are technically discoverable by the user using web-debugging tools, and users and administrators should follow the same security policies as if the credentials were presented directly by the user. Administrator-provided credentials are very useful when providing account access that is shared among many users, such as social media or document sharing applications.

    2. User manages credentials – Administrators can assign applications to end users or groups, and allow the end users to enter their own credentials directly upon accessing the application for the first time in their access panel. This creates a convenience for end users whereby they do not need to continually enter the app-specific passwords each time they access the application. This use case can also be used as a stepping stone to administrative management of the credentials, whereby the administrator can set new credentials for the application at a future date without changing the app access experience of the end user.

    In both cases, credentials are stored in an encrypted state in the directory, and are only passed over HTTPS during the automated sign-in process. Using password-based single sign on, Azure AD offers a convenient identity access management solution for apps that are not capable of supporting federation protocols.

    Password-based SSO relies on a browser extension to securely retrieve the application and user specific information from Azure AD and apply it to the service. Most third-party SaaS applications that are supported by Azure AD support this feature.

    Hope this helps.

    Regards,
    Neelesh

    ___________________________________________________________________________________________________

    If this post was helpful to you, please upvote it and/or mark it as an answer so others can more easily find it in the future.

    Monday, July 4, 2016 9:09 AM
  • This is too complex to understand!  Can you put it in layman terms? 

    Thanks for time. 


    Many Thanks Deepak

    Monday, July 4, 2016 9:25 AM
  • Hope this helps.

    Regards,
    Neelesh

    Halfway - it explained "Existing SSO" and "Password SSO".

    But what is the difference between "with identity provisioning" and "without identity provisioning"?

    The Classic Portal doesn't mention those terms.


    Craig D. Beere, MCT

    Tuesday, August 23, 2016 10:12 PM
  • Hi guys,

    I am not aware as well about the difference with and without identity provisioning, but this is what I found so far:

    Password based SSO without identity provisioning – These are applications the Azure admin has added with the single sign-on mode set to ‘Password based Single Sign-on’. It is important to realise that all users authenticated to the Azure AD will see these applications. The first time a user clicks one of these apps they will be asked to install a lightweight browser plugin for IE or Chrome. Once they restart the browser the next time they navigate to that app they will be asked to enter the username and password combination for that app. This is then securely stored in Azure AD and linked to their organisation account. The next time the user clicks that app they will be automatically signed in with the credentials they provided. Updating credentials in the third party app needs the user to update their Azure AD stored credentials from the context menu on the app tile.

    • Password based SSO with identity provisioning – These are applications the Azure admin has added with the single sign-on mode set to ‘Password based Single Sign-on’ as well as identity provisioning. The first time a user clicks one of these apps they will be asked to install a lightweight browser plugin for IE or Chrome. Once they restart the browser the next time they will be automatically signed in to the application.

    Reference: http://weshackett.com/tag/azure-active-directory/

    Existing Single Sign-On requires an on premise (existing) Sign-On infrastructure, such as Federation Services to work if i'm not mistaken.

    Wednesday, September 28, 2016 12:40 PM
  • Ok. This is the plain explaination I could get from my experience. I hope someone correts me if I'm wrong:

    What is Existing Single Sign-On?
    Login with your Azure AD credentials. I mean, with the user and password that you have created in Azure.

    What is Password Single Sign-On?
    Login whit your third party app credentials. When the user and password has been created previously in dropbox for example.

    What is identity provisioning?
    For example when Azure AD is able to create users in your dropbox app. Create, erase, update...

    What does it means then when you say Existing Single Sign-On with identity provisioning?
    That is when you use your Azure AD credentials to do de login in dropbox for example, and can manage your dropbox users from Azure AD.



    • Edited by JulioFor Sunday, August 13, 2017 12:30 PM
    Sunday, August 13, 2017 12:30 PM
  • This post may help you understand various Hybrid Identities
    Sunday, August 13, 2017 1:02 PM
  • Has it explained on ez to understand words:

    https://dzone.com/articles/single-sign-on-with-azure-active-directory-and-bac

    Thursday, February 15, 2018 4:05 PM