Can Azure AD be used with SAML based Identity Providers?

4.9k views Asked by At

We're evaluating a couple options to implement single sign on for an application as we bring on some new customers and we've been trying to figure out if Azure AD can help us.

The app has a web API and a single page application web site. So we are looking to protect the web API with an oAuth flow and evaluating using Azure AD or Identity Server v3 as an option to do this. We need to connect to a SAML identity provider. (Ultimately we want to support multiple identity providers based on the customer logging in, but some with SAML IDPs and we may also use Azure B2C for local users, but I don't want to get distracted by that yet)

My main question for now: Can Azure AD be used so that I can have some users authenticate against a SAML based identity provider that their organization hosts?

So Azure AD would handle authorization to my web API? My web API would be using OWIN middleware to detect bearer tokens and redirect to Azure which would redirect to the customer identity provider for login. I think this used to be under the ACS feature of Azure, but changed to be under the Azure AD umbrella term and I'm not sure what it can do.

Clarification #1: I don't want to use Azure AD as my identity provider. I wanted to have it secure my app with oAuth tokens flow but redirect to a separate customer-hosted identity provider for authentication. So I'd go to www.contosobikes.com which uses an API api.contosobikes.com which is secured by AD issued tokens but then I have things "registered" so users sign in at id.somecustomer.com and then are redirected back. This is the type of stuff I think we can acheive with Identity Server and I'm trying to see if Azure AD can do this or not.

3

There are 3 answers

2
Trondh On

Yes. Azure AD Premium has the ability to act as a SAML identity provider. The basic (non-paid) version only allows this for a preconfigured list of apps in the so-called Azure AD App gallery, which won't help you.

Here's the link to the description from MS: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps

You can also plug an auth provider such as Auth0 on top of Azure AD in order to "SAML-enable" Azure AD without upgrading to the premium tier.

In your question you mention both oAuth and SAML - which is confusing. It is my understanding that the two are mutually exclusive.

0
MukulChakane On

Yes, Azure AD can be used as SAML Identity provider. Azure Ad has some new features than ADFS, such as user groups are already sanitized to be used in your application, unlike in ADFS we need to parse the user groups from X500 distinguished name format.

1
Saca On

Azure AD can be federated with SAML based IdPs.

You can find the list of supported/tested SAML based IdPs here: https://www.microsoft.com/en-us/download/details.aspx?id=56843

You should also be able to federate any other SAML based IdP provided you meet the requirements and follow the steps outlined in this document: https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx