如何使用多租户ASP.NET应用程序通过Azure Active Directory进行身份验证？

Question

I have been doing some tests with Azure Active Directory trial license in my data center. Our company has our own hosting services and physical hardware, and for now we would like to keep it that way (though we may investigate moving it all to cloud services in future).

For now, we are trying to provide a single sign-on option for our customers using Azure AD. We already support this with CAS, but some customers are already using Azure AD internally and want to use this as the integrated Windows Authentication method with IIS & ASP.NET.

How do I go about setting this up in a way that supports multiple tenants? I am having trouble figuring out how to do this at the IIS level, and am finding the literature a bit lacking with respect to a clear answer.

As best I can tell, I would have to create a VM (separate Windows Server instance) for each customer, that is configured to authenticate via Azure AD and passes the windows auth credentials to IIS. This is kind of annoying.

Is there a way that I can continue to run IIS and ASP.NET web apps on my own server, but use Azure AD for Windows Authentication with ASP.NET, where each IIS web app instance has its own separate Azure AD configuration?

Can I do this at the web app root folder level? (Perhaps by setting the authorization for that folder to grant permissions to users in that customer's Azure AD?)

My goal, for example, given this Windows Server configuration:

• Host (IIS 8) "webhost"
  • Web app "A", c:\\apps\\a , authorized users include AAD "A" users
  • Web app "B", c:\\apps\\b , authorized users include AAD "B" users

Users from customer A use this url: http://webhost/a

Users from customer B use this url: http://webhost/b

When user A browses to web app A, the integrated windows authentication should either challenge user for Azure AD "A" windows username & password, or, if already authenticated, show the user content from web app A.

When user B browses to web app B, the integrated windows authentication should either challenge user for Azure AD "B" windows username & password, or, if already authenticated, show the user content from web app B.

Thanks!

Answer 1

You can most definitely leverage Azure AD on apps running on your own server. You should not need to apply settings at the IIS level. When you use Azure AD the windows integrated auth would take place between the client and Azure AD endpoints - that results in a token that is sent to the app on a channel that does not require windows integrated authentication. That's what allows your apps to be hosted anywhere, there is no infrastructural constraint on the app itself. Take a look at this sample for instructions on how to set up one app to trust an Azure AD tenant. You can apply the same process to all your apps, pointing them to different AAD tenants. Once you have done that: you can skip the interstitial auth page and get windows integrated auth by following the instructions here . I recommend you first get the sample to work, and only then focus on this last part. Tackling both things at once could be hard.