locked
Azure AD SIngle Signon RRS feed

  • Question

  • User-2134819526 posted

    Hello team,

    i have a project built in vs 2008. now the client wants it to deploy in azure cloud with authentication to be done via Active directory with Single sign on facility.

    in addition to this they have 2-3 branches, can be considered as different domains. they all need to access this vs2008 web application.

    Guys, i have absolutely no knowledge on azure AD SSO. 

    After googling i think we need a multi tenant SSO. correct me if i am wrong.

    can any one please guide me on developing a webapp to test SSO via AD.

    As i am new to this AD and SSO concepts while googling i came across a new word like seamless single sign on .

    I found only one link regarding this https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

    So what i need is ... say i am in the concerned domain(s). i logged into my desktop . open a browser and hit the application url . now as i am in one of the concerned domains the application will not ask me to enter the credential again. it will do the authentication from azure ad and if success will redirect to application startup page or else any error page.

    Please correct me...

    any coding reference or links will be appreciated

    Awaiting your response.

    Wednesday, June 6, 2018 7:03 AM

All replies

  • Thursday, June 7, 2018 2:23 AM
  • User-2134819526 posted

    Hi Nan Yu,

    thanks for the reply.

    i will definitely go through the links.

    Just to note: i have came across a new concept like seamless single sign on.you can check my modified requirement in the qu that is highlighted .

    seamless single sign on (Azure AD) with my web application.

    Thanks.

    Thursday, June 7, 2018 6:02 AM
  • User1724605321 posted

    Hi satyajitd,

    Yes ,see the scenerio : How does sign-in on a web browser with Seamless SSO work?

    The sign-in flow on a web browser is as follows:

    1. The user tries to access a web application (for example, the Outlook Web App - https://outlook.office365.com/owa/) from a domain-joined corporate device inside your corporate network.
    2. If the user is not already signed in, the user is redirected to the Azure AD sign-in page.
    3. The user types in their user name into the Azure AD sign-in page.

      Note

      For certain applications, steps 2 & 3 are skipped.

    4. Using JavaScript in the background, Azure AD challenges the browser, via a 401 Unauthorized response, to provide a Kerberos ticket.

    5. The browser, in turn, requests a ticket from Active Directory for the AZUREADSSOACC computer account (which represents Azure AD).
    6. Active Directory locates the computer account and returns a Kerberos ticket to the browser encrypted with the computer account's secret.
    7. The browser forwards the Kerberos ticket it acquired from Active Directory to Azure AD.
    8. Azure AD decrypts the Kerberos ticket, which includes the identity of the user signed into the corporate device, using the previously shared key.
    9. After evaluation, Azure AD either returns a token back to the application or asks the user to perform additional proofs, such as Multi-Factor Authentication.
    10. If the user sign-in is successful, the user is able to access the application.

    Best Regards,

    Nan Yu

    Thursday, June 7, 2018 6:33 AM
  • User-2134819526 posted

    Hi Nan Yu,

    Thanks a lot for your prompt response.

    I will go through this.

    Thursday, June 7, 2018 6:56 AM