stackoom
  简体   繁体   中英

Authenticate web application agains multiple azure ad?

 原文  2017-02-18 14:08:43       azure/ azure-active-directory

Question

I am thinking about developing in general a web application for enterprise. What i am thinking about is following scenario:

The application should be able to serve multiple customers (called multitenancy?). That means that multiple companies could use the software for their employees.

Each of them could have a own azure ad or maybe not. Therefore i would like to know if it is possible to authenticate against multiple/different azure ad's?

Lets assume that a user types in his email address user1@companyA.com then i would try to authenticate him against the ad whihc is configured behind the companyA.com ad, when someone tries to login with user361@companyB.com then i would try to authenticate against azure ad which is configured for companyB.com.

Is this possible? How could i do this?

1 answers

solution1
 8 ACCPTED  2017-02-18 15:32:39

That is the exact reason why multi-tenant applications exist. So a user from any Azure AD can sign in to your application.

The way it works is like this:

  1. You define the application in your Azure AD tenant, including any permissions it might require (like ability to read data from the Azure AD Graph/access user's OneDrive through Microsoft Graph etc.)
  2. When defining the app, set it as multi-tenant.
  3. Now when a user from another organization tries to sign in to your app, they will be presented with a consent screen. This screen describes your application and the permissions it requires on their directory.
  4. Once they give their consent for the permissions the app requires, a service principal is created for the app in their directory. This principal is sort of like an account for the application that now exists in their directory .
  5. They will then be forwarded back to your app.

There are a couple important things to note on your app's side:

  1. You must redirect users to login at https://login.microsoftonline.com/common/oauth2/authorize instead of the tenant-specific endpoint.
  2. With OpenIDConnect middleware in ASP.NET MVC, you must turn off issuer validation, and do it a bit manually (you have to check the tenant has actually signed up before)

More about single vs multi-tenant: http://www.andrewconnell.com/blog/azure-ad-what%E2%80%99s-the-difference-between-single-vs-multi-tenant

Example multi-tenant app (ASP.NET MVC): https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Authenticate against Azure AD - ColdFusion Web Application Authenticate multiple web applications with same Azure AD App Authenticate to Azure AD from Angular 9 Application Authenticate to Azure AD on-behalf-of a client application Authenticate Azure AD User to multiple backend services Has anyone successfully used Azure AD to authenticate users for a Node.js web application? Using Azure AD to authenticate react application and backend application(python) Authenticate on Azure AD with username and password in a Node.js web app Authenticate with Azure AD with Node Authenticate against Azure AD
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM