We're evaluating a couple options to implement single sign on for an application as we bring on some new customers and we've been trying to figure out if Azure AD can help us.
The app has a web API and a single page application web site. So we are looking to protect the web API with an oAuth flow and evaluating using Azure AD or Identity Server v3 as an option to do this. We need to connect to a SAML identity provider. (Ultimately we want to support multiple identity providers based on the customer logging in, but some with SAML IDPs and we may also use Azure B2C for local users, but I don't want to get distracted by that yet)
My main question for now: Can Azure AD be used so that I can have some users authenticate against a SAML based identity provider that their organization hosts?
So Azure AD would handle authorization to my web API? My web API would be using OWIN middleware to detect bearer tokens and redirect to Azure which would redirect to the customer identity provider for login. I think this used to be under the ACS feature of Azure, but changed to be under the Azure AD umbrella term and I'm not sure what it can do.
Clarification #1: I don't want to use Azure AD as my identity provider. I wanted to have it secure my app with oAuth tokens flow but redirect to a separate customer-hosted identity provider for authentication. So I'd go to www.contosobikes.com which uses an API api.contosobikes.com which is secured by AD issued tokens but then I have things "registered" so users sign in at id.somecustomer.com and then are redirected back. This is the type of stuff I think we can acheive with Identity Server and I'm trying to see if Azure AD can do this or not.
Yes. Azure AD Premium has the ability to act as a SAML identity provider. The basic (non-paid) version only allows this for a preconfigured list of apps in the so-called Azure AD App gallery, which won't help you.
Here's the link to the description from MS: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
You can also plug an auth provider such as Auth0 on top of Azure AD in order to "SAML-enable" Azure AD without upgrading to the premium tier.
In your question you mention both oAuth and SAML - which is confusing. It is my understanding that the two are mutually exclusive.