0

I am trying to set IS4 as Identity Provider.

  1. The first thing I tried was to create a federation trust between Azure AD and the domain where I hosted my IS4. once federated by using the "Get-MsolDomainFederationSettings" command in PowerShell I got values for the following parameters:

    enter image description here

  2. I have found the following "solution", that also comes with this documentation, but it is a paid solution, and I am looking for a free option.

  3. Should I use standard protocols, e.g. OpenID Connect, WS-Federation or SAML2p, and how can this be configured?

Bojan
  • 769
  • 9
  • 16
  • I think this can be done in B2C with the Open Id Connect providers. https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-idp – juunas Jul 18 '18 at 10:39
  • There is no official support for other federation providers of `Azure AD` different than ADFS. What are you trying to achieve? – astaykov Jul 18 '18 at 10:45
  • @astaykov I am using this scenario for Single Sign on. Users working on a certain application have their usernames and passwords. Let's say, this application also needs to be connected to a tenant in Azure. Instead of creating users in azure (the more users you have, the harder it is), you can just use the existing local database and authenticate them against your own IS4 – Bojan Jul 18 '18 at 12:05
  • @juunas This requires a subscription, so it's not free. Is there another solution? – Bojan Jul 18 '18 at 12:20

2 Answers2

3

Based on the question and clarifying comments here the answer as of today:

You cannot achieve the required target architecture as of today. Today the only officially supported federation for Azure AD is ADFS over WS-Federation protocol and Ping Federate as preview. There is an official documentation describing the federation options with Azure AD.

There have been some tests in the past, but there is nothing officially supported beside the two options mentioned.

Looking at SSO, you can however look at the other side of the things:

  • You have IdentityServer and already some applications registered for it
  • You want SSO for Azure (O365) users to this applications

You can achieve what you want in the following manner:

What you certainly cannot achieve is:

Making Azure (Azure AD) authenticate users over Identity Server (at least not in a supported way!)

astaykov
  • 30,768
  • 3
  • 70
  • 86
  • So what you are saying, the only option I have is Azure AD B2C, and payed plugins such as the one I mentioned in my question. Is that right? – Bojan Jul 19 '18 at 08:11
  • can you again refine your question to explain exactly which users should have sso to exactly which systems. Where the users are "homed" (where are their identities). Because I am not sure that even B2C will help you. But you do not give details in your question. Like "I have users in Office 365 - users A (who are cloud only, or synchronized), I also have users in IdentityServer4 (who are local users there with user/pwd in SQL db), and I also have users in Facebook (whereever). Then I have application Z registered as relying party in [AAD|IS4|whatever]. And I want user A to do that and B this – astaykov Jul 19 '18 at 09:36
  • Again, simply configuring IS4 as IDP for Azure AD (federation) will not work and is not supported. – astaykov Jul 19 '18 at 09:37
  • For example: I have users on a local database and an application A that is set to work with these users. Let's say app A needs to be connected to a tenant in Azure portal where changes can be made, therefore these users also need access to this tenant. Now, instead of creating the same users in this tenant and having them to sign in, we could just use SSO that will work with the same local database and sign in the user that's already using app A via IS4. So I need Azure AD to only be a service provider and trust IS4 to approve the users that login – Bojan Jul 19 '18 at 11:30
  • 1
    That will not work. Already described in my answer why. If you want to work with Azure, your user has to be a known user in Azure AD. Not B2C. – astaykov Jul 20 '18 at 06:32
0

Azure AD can only be used as an endpoint as per @astaykov.

It can be an STS but it cannot be a R-STS i.e. it cannot be an intermediate step.

The solution described above is a paid solution because it uses the RSK SAML stack.

However, you could follow the same steps using the Sustainsys .NET Core option which is free.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Azure AD is Identity Management-as-a-Service and an STS (security token service) amongst other. It's main feature is to act as STS. STS is not "can". It is in the core of Azure AD. I am not sure what you mean by R-STS, but in its part as `federation provider` (delegating authentication to external systems like ADFS), it also acting as, probably what you mean STS. I also do not see how the library you refer will help in that case!? It is just a library for some crazy guys wanting to impelment SAML2 authentication in their applications developed in the era of OpenID Connect... – astaykov Jul 18 '18 at 19:22
  • No, I mean R-STS as in https://mohamadhalabi.com/2012/12/17/adfs-2-0-by-example-part1-adfs-as-ip-sts-and-r-sts/. The Sustainsys reference was in answer to the question of "I am looking for a free option". – rbrayb Jul 18 '18 at 19:44