Home » Posts tagged 'Single-Sign-On (SSO)'
Tag Archives: Single-Sign-On (SSO)
Microsoft Azure AD Identity Solution – Part-2 !!!
Microsoft Identity as a Service (IDaaS) for Enterprise Architects
“What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS“
Brief Introduction
In my previous article “Microsoft Azure AD Identity Solution – Part-1 !!!”, we discussed about Microsoft Azure AD as an identity solution in detail and how Azure identity (IDaaS) solution effectively address the challenges on seamless access & integration with a wide range of legacy apps and modern SaaS services in a multi-hybrid cloud environment such as AWS, Azure and Google cloud.
In this article, we will focus on some more industry use cases of Azure identify solution and its integration capabilities. These industry use cases are such as seamless solution on single sign-on (SSO) and multifactor authentication (MFA), Azure AD collaboration with business-to-business (B2B) partners and business-to-consumer (B2C) and then finally talk about Azure AD application proxy
Seamless SSO and MFA solution to SaaS and on-premise applications
An Azure AD integration with hybrid cloud provides a seamless single sign-on (SSO) and multi-factor authentication (MFA) capability to SaaS and on-premises apps. Refer to the below figure on how Azure AD tenant connects to Azure SaaS apps such as office365, ServiceNow and others apps:
The seamless single sign-on of Azure AD tenant is the following:
- An emerging need of unified application access and single sign-on to all types of SaaS applications
- Consistent user experience with single sign-on across all SaaS services and on-premises apps by using below SSO methods:
- Cloud SaaS apps can user Open-ID Connect, OAuth, SAML, password-based, linked or disabled methods for SSO
- On-Premises applications can use password-based, integrated windows authentication (IWA), header-based, linked or disabled methods for SSO. The on-premises choice works when applications are configured with application proxy
The following flowchart help Identity Architect to decide on which Azure AD single sign-on method is best for their business apps and fits in their business scenario:
A traditional enterprise SSO solution such as on-premises corporate AD can extend to SaaS services by using Active Directory Federation Services (ADFS).
The seamless multi-factor authentication (MFA) of Azure AD tenant covers below:
- A process where a user is prompted during the sign-in for an additional form of identification, such as to enter a code from their mobile phone or to provide a fingerprint scan.
- Customer on-premises applications or SaaS services don’t require to make any changes to use Azure MFA. The verification prompt is part of Azure AD sign-in event, that automatically request and processes the MFA challenge when needed.
- Azure MFA generally works by needing two or more methods:
- Password
- Trusted devices that is not easily duplicated (a phone or hardware key)
- Biometrics (a fingerprint or face scan)
Azure AD B2B and B2C collaboration
Azure AD B2B collaboration enables secure integration between business to business partners
These new capabilities make it easy for businesses to create advanced trust relationships with Azure AD tenants so they can easily share their business apps (such as ServiceNow, Salesforce etc.) across companies/customers without hassle of managing additional directories or having the overhead of managing partner’s identity solution.
Below figure shows how an Azure AD B2B collaborates with SaaS applications between customer’s and partner’s Azure AD tenant:
An Azure AD B2C is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities.
An Azure AD B2C easily integrates across mobile and web platforms, through this consumers login to all their apps through fully customizable experience by using their existing social accounts such as Google, Facebook, Linked-In or by creating new credentials. Below figure shows how an enterprise Azure AD B2C collaborates with Azure PaaS through consumers social identities:
Azure AD application proxy
Microsoft Azure AD application proxy lets customer publishes their web-based apps inside their private network and provides secure access to users outside world as below:
- Employees can log into their apps from home on their own devices and authenticate through this Azure AD cloud-based proxy
- By using Azure AD proxy customer also can protect their on-premises apps with the same requirements as other cloud-based apps with MFA, and other conditional access.
- Application proxy works by installing a slim Windows service called “Connector” inside a private network and that maintains an outbound connection from within private network to this Azure AD proxy service
Below figure shows how an on-premises application can be accessed through an Azure AD application proxy.
To have further more insight on my previous article on “Microsoft Azure AD Identity Solution – Part-1 !!!” , Refer to below article:
Microsoft Azure AD Identity Solution – Part-1 !!!
Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration.
Managing and Securing Employee’s Personal Devices (BYOD) through Active Directory 2012 R2 !
Now Managing of BYOD (Bring Your Own Device) through Microsoft Active Directory 2012 R2-
Few weeks back, I have published my blog “Microsoft Windows Server 2012 R2 Top 20 Released Features!” and two of important features are “Workplace Join” and “Multitenant VPN gateway“. Today, Lets discuss on these features in more detail.
As per Microsoft TechNet Article:
“One of the most prevalent IT industry trends at the moment is the proliferation of consumer devices in the workplace. Employees and partners want to access protected corporate data from their personal devices, from checking email to the consumption of advanced business applications. IT administrators in organizations, while wanting to enable this level of productivity, would like to continue to ensure that they can manage risk and govern the use of corporate resources.”
In Windows Server® 2012 R2, Active Directory has been enhanced with the below value propositions to connect employee’s personal devices to internal corporate network to access their application from anywhere anytime in a secured manner. It enables IT to empower their users to be productive from a variety of devices:
- Workplace Join – IT administrators can allow devices to be associated with the company’s Active Directory and use this association as a seamless second factor authentication.
- Single Sign-On (SSO) from devices that are associated with the company’s Active Directory
- Managing Risk – Enable users to connect to applications and services from anywhere with Web Application Proxy
- With Multi-Factor Access Control and Multi-Factor Authentication (MFA), manage the risk of users working from anywhere, accessing protected data from user’s devices.
Though “Workplace Join” feature is self-explanatory but let me explain here – Employee can “join” his/her own devices to his/her own “workplace” (Internal Corporate Application/Data). In simple terms, Employees can access their applications and data everywhere, on any device.
In this case, Employees require to registering their devices with their AD domain so that device will reflect in AD with associated owner and will be trusted when requesting and running company-secured applications, accessing company-secured data, or accessing company-secured resources.
To get more detail on Workplace Join – Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications Overview
When user joins a device to the workplace, it becomes “a known device and will provide seamless Second Factor Authentication and Single-Sign-On (SSO) to workplace resources and applications.” And once the device is “known”, IT Administrator can leverage that knowledge to apply/enforce additional configurations/policies (example: pushing company polices settings to the device). Administrators can control who has access to company resources based on application, user, device, and location.
Practically speaking, Device Registration Service (DRS) is the new feature and part of Active Directory Federation Service (ADFS) role which allows users to register their devices in AD Domain, tracks the associated device’s certificate in order to represent the device’s identity and provides on-board mechanism for Single Sign-On (SSO) with appropriate/conditional access.
Single Sign-On (SSO) is the functionality that reduces the number of password prompts the end user has to enter when accessing company resources from known devices. This implies that Users will be prompted only once during the lifetime of SSO when accessing company applications and resource. For example, A User wants to access their different applications (SharePoint, Exchange and HR) from their devices – without SSO, user would be prompted for a login with every application user try to access. But with SSO, user will only be asked one time.
As above mentioned, Device Registration Service part of ADFS role allows claims-based authentication to occur based on trusted certificates. Once the user is authenticated (username + password + trusted device along with certificate), the claim is trusted/validated, can be used to launch company applications or access company data.
To get more detail on Single Sign-On – Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications Overview or Single sign-on Wikipedia, the free encyclopedia
Managing Risk through Web Application Proxy:
The Web Application Proxy is a new service part of Remote Access Role. Web Application Proxy “provides reverse proxy functionality for web applications inside corporate network to allow users on any device to access them from outside the corporate network. It pre-authenticates access to web applications using ADFS, and also known as an ADFS proxy.”
So, now SSO facilitated through DRS, the authenticated AD user with his/her own device can access applications on the corporate network and manage the risk with a reverse proxy secure layer without having a 3rd party VPN connection.
To get more detail on Managing Risk through Web Application Proxy – Connect to Applications and Services from Anywhere with Web Application Proxy Overview
Multi-Factor Access Control and Multi-Factor Authentication (MFA):
ADFS in Windows Server 2012 R2 supports more than just the permitted (or denied) user in ADFS claims. Microsoft added “Multiple Factors Authentication”, including user, device, data and location. Authorization claim rules have a greater variety of claim types.
“In ADFS in Windows Server® 2012 R2, Administrator can enforce multi-factor access control based on user identity or group membership, network location, and device (whether it is workplace joined)”
To get more detail on Multi-Factor Access Control and Multi-Factor Authentication (MFA) – Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications Overview
Technology Blog 