locked
No Azure AD for cloud applications RRS feed

  • Question

  • Hi,

    is it possible for cloud applications to redirect their form based authentication to a on-premises ADFS server without the existence of a AD in the cloud. The application can be configure to work directly with the ADFS accordingly to the metadata? No VPN.

    Understand that users will key in their credentials and communicate to the ADFS proxy. Will the application communicate with the ADFS or ADFS proxy? 

    Thanks.

    Monday, July 20, 2015 7:28 AM

Answers

  • Generally applications if they have a trust with ADFS would be configured to go to <a href="https:///adfs/ls/">https://<ADFSServiceName>/adfs/ls/ to get a token so depending upon how the name resolution occurs for the ADFS Service Name, it would either hit the ADFS Proxy or ADFS Server. ADFS Proxy by default displays the form authentication page. The kind of request application would send depends upon what protocol is being used for e.g. WS-Federation, SAML-P, WS-Trust etc.

    The main advantage of using ADFS with Azure AD is that the authentication of the on-prem users can happening on the ADFS Server (with the Corp DC) and for the cloud users, Azure AD can authenticate them, so essentially depending upon the UPN user uses to login, they will be redirected to the login URL (either ADFS/Azure AD etc.). With Microsoft Azure Active Directory Premium Features, you can get features like Branding and Customization, Group Based Access Control, Self Service Password Management, Multi-Factor Authentication, Advanced Reporting.

    Hope this helps!

    Best Regards

    Sadiqh Ahmed

    ________________________________________________________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

    Tuesday, July 21, 2015 2:16 PM

All replies

  • Hi,

    I don't think Azure Active Directory supports forms based authentication. However, Azure Active Directory can provide you with a claims-based experience. As Azure AD does not support LDAP based connection to WAAD, you can't customize the Azure login page.

    Refer to: https://azure.microsoft.com/en-us/documentation/articles/active-directory-token-and-claims/

    Best Regards

    Sadiqh Ahmed

    ________________________________________________________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

    Monday, July 20, 2015 11:41 AM
  • Hello,

    The cloud application can redirect the user to ADFS Server given it is configured to go to ADFS Server if the user isn’t authenticated and if the user is accessing the ADFS Server from extranet, they would get Form Based Authentication page by default. However keeping the application as a cloud application doesn’t yield any advantage in this scenario as it work the same way even when it is deployed to a server.

    Regards,

    Neelesh

    Monday, July 20, 2015 3:21 PM
  • Hi Neelesh, Thanks for the reply. You have clarified my doubt that ADFS on premises alone will be sufficient to support cloud applications. Does the application communicate to the ADFS proxy similar to user authentication traffic? May I know What would be the advantages of using on premise ADFS with Azure AD for cloud applications ? Thanks
    Monday, July 20, 2015 3:44 PM
  • Generally applications if they have a trust with ADFS would be configured to go to <a href="https:///adfs/ls/">https://<ADFSServiceName>/adfs/ls/ to get a token so depending upon how the name resolution occurs for the ADFS Service Name, it would either hit the ADFS Proxy or ADFS Server. ADFS Proxy by default displays the form authentication page. The kind of request application would send depends upon what protocol is being used for e.g. WS-Federation, SAML-P, WS-Trust etc.

    The main advantage of using ADFS with Azure AD is that the authentication of the on-prem users can happening on the ADFS Server (with the Corp DC) and for the cloud users, Azure AD can authenticate them, so essentially depending upon the UPN user uses to login, they will be redirected to the login URL (either ADFS/Azure AD etc.). With Microsoft Azure Active Directory Premium Features, you can get features like Branding and Customization, Group Based Access Control, Self Service Password Management, Multi-Factor Authentication, Advanced Reporting.

    Hope this helps!

    Best Regards

    Sadiqh Ahmed

    ________________________________________________________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

    Tuesday, July 21, 2015 2:16 PM