The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
SaaS blueprint - Multiple identity/source scenario RRS feed

  • Question

  • We are an classic ISV building a SaaS solution on Windows Azure. Up to now, we have been using a traditional design of custom made token service for authentication, with a SQL Azure backend for user management and control. Our client is a rich client, connecting through a REST service.

    As our service grows, we are looking very interesting towards Windows Azure Active Directory, to replace our custom design and support enterprise deployment – however we seek guidance or insights how Windows Azure Active Directory would work in a multi-tenant, multi-identity environment.

    In general we cluster our customers into three categories:

    • Enterprise customers. Having on-premise Active Directory, often Office365 with DirSync and managing all users from local IT. They may have skills or knowledge around Windows Azure, Federation and Azure AD.
    • Midmarket customers. Often with on-premise, though not always. Often (very few) with Office365 with DirSync managing users on-premises, or though the Microsoft Online Services Portal. They have no knowledge on Windows Azure or federated identity.
    • Low-end customers. Always without any identity infrastructure like Active Directory. Some with Office365, managed through the MOP portal. Today, these customers manage their users through our management portal.

    In replacing our custom solution, we look for a common design as simple as possible. We doubt that enterprise customer wish to allow us access to their Azure AD (on-prem for that matter). Secondly of all, we build a volume ISV solution, we cannot have a manual setup per customers to setup Azure AD – kind of the same design as Office365 where partners can setup the synchronization.

    Our question is – can anyone share experience with a solution like the above, and secondly – will Microsoft provide libraries to manage tenant setup etc. so we can streamline provisioning?

    *** EDIT ***
    Referering to the post of the guru of cloud identity, Vittorio (http://www.cloudidentity.com/blog/2012/07/12/single-sign-on-with-windows-azure-active-directory-a-deep-dive-2/) consider two assumptions.

    1) every customers will have an cloud identity. While this would solve our quest above, it is highly unlikely. Hense what options to ISVs have to provision AD tenant to help Microsoft on the path to deliver a Directory Tenant to every customer (in a closed signup experience).

    2) 4/5 Down the article quoting "In practice, every customer will have to run the same cmdlet script with New-MsolServicePrincipal to provision your application in their own directory tenant" base the assumption on #1, as well as the customer do understand how to install powershell, and run a complex command. Even logging into Windows Azure AD.

    • Edited by Arumsoft Wednesday, June 5, 2013 8:53 PM additions and reference
    Wednesday, June 5, 2013 8:02 PM