3

I'm shooting a little blind here in that I'm not an Azure expert and don't really mess with it yet beyond O365 and DirSync.

We have a 3rd party app written in Ruby on Rails that they are saying is going to have SAML support in the next version and can do SSO by syncing potentially with Azure AD. Their cloud app is hosted on Azure. The 3rd party hasn't exactly said to us yet HOW. They said they are going to publish it as a Windows app. I see in Azure something like "add an application from the gallery"...is that what I'm looking for?

My question is, can our existing Azure AD that came with Office 365 allow for such an SSO setup with this 3rd party application if it is hosted within Azure? If so, any links or info on doing such a thing? Everything I end up searching on ends up with me coming back to DirSync or similar and I know it isn't DirSync I'm looking for.

Is this what I'm after in our Azure AD portal below?

enter image description here

maweeras
  • 2,734
  • 2
  • 17
  • 23
TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • You need to register your app with Azure AD as per the steps in this guide: http://www.edutech.me.uk/microsoft/identity-and-access-management/active-directory/azure-ad-custom-saas-applications-for-any-3rd-party-service/ – Simon W Mar 09 '15 at 11:45
  • Simon, that's great additional info. If you want to link and expound on that link or quote it as part of an answer I'll award you the points/checkmark. Thank you! – TheCleaner Mar 09 '15 at 13:23

2 Answers2

3

Your custom application must be registered with Azure AD as a Custom Application as per the process flow on this online guide. There are a couple of options to integrate your custom application - you can do password-based or federation-based.

If your app will support SAML-based authentication then you would use federation-based which isn't covered in the above guide, but has some more detail on MSDN in a couple of places.

Note that you must be subscribed to the Basic or Premium Azure AD tiers to access this feature.

Simon W
  • 320
  • 1
  • 8
2

it's a tale of two protocols, Office365 supports quick configuration of applications that support the OpenIDConnect protocol, it's likely you signed into this site with an OpenID provided by some trusted identity provider: (you should be able to sign in here with an OpenID provided by your O365) enter image description here

SAML 2.0 is the more complete implementation of a Web SSO but uses SOAP/XML - whereas OpenIDConnect users RESTful/JSON and service providers/Resource Servers (Apps) can be dynamically registered, but much other functionality you will look for will be 'out of scope'

Thee AzureAD SAML identity provider is not a full implementation of the protocol and it does not support the eduperson schema, neither will it download metadata from a URL (say from a federation).

Microsoft are members of the OpenID foundation along with many other commercial vested interests such as Google, Facebook, Paypal or anyone else with an 'all of your user are belong to us' mentality, so naturally they cripple Azure AD from doing anything useful other that supporting basic functionality - want to grant a group of users access to some app from the Portal? - that's Azure AD premium! - The portal btw is just a thrown together list of applications that support OpenID logins - SF may as well be listed there, it doesn't mean anything, it's just a lot of whizz bangerery, the have also listed apps that support the SAML protocol and these will require some configuration of Azure AD and some configuration of the app in question - so it's actually pointless even listing these ones (in the flashy portal) other than to let you know 'this app supports SAML'. Azure AD will also support an authentication proxy, where an app doesn't support an SSO protocol it can be configured for a one time authentication and there after remember the credentials, so it does expose these brutal hacks too. What's funny about the AzureAD and Office365 cool aide is that it all begins with a DirSync - the very evil that these protocols where invented to address - Here! have all my users??? - so in that respect AzureAD is all fur coat and no knickers.

You can run all of this on Domain, a full implementation of SAML with Shibboleth or a bundled SSO protocol stack with SAML and OpenIDConnect with something like gluu https://www.gluu.org/gluu-server/overview/ it's not crippled, is free and you don't have to give all of your users to some third party with an agenda. I'm not recommending any of the above - I'm just letting you know that you don't need AzureAD and the more involved you get in identity federation the more of a barrier it will become without the 'premium features' of 2 protocols that community volunteers worked their asses off to deliver.

Sum1sAdmin
  • 1,934
  • 1
  • 12
  • 20