Combining custom registration and Azure AD?

Question

I'm in a pickle, lacking the experiences that would provide me with guidance in my project and am seeking pointers from those for whom have Azure AD, SSO and Federation experience.

I am building an employee self service system and using Azure AD for identity management. I would like the user to be able to sign in using their employee ID # and password, not their email address; there should also be an option for the user to register for online access using their employee ID # and other personal information - their Azure Identity already having been established by humane resources.

The sign in flow would take the user to the Microsoft login page which would in turn detect that the user needs to sign in via a custom login page and redirect them there. Once they are signed in, my server would transmit their identity to Azure AD and grant them access based on the Azure Application permissions.

I'm simply really confused about how to start setting this up, if it's even possible. I'm aware of XSS but isn't Federation and SSO with SAML2 secure?

Do I need to use a federation application as a middle-man such as Ping Identity?

Thanks for any help!

Answer 1

Using eg Ping as an IDP generally won't help because Azure AD is already an IDP.

Microsoft Azure AD login pages can't be accessed by API and can't be customised to the extent you want.

And you can only sign-in with an email address because it's designed for domain-joined corporate customers.

You can do a lot of what you require with Azure AD B2C and custom policies. That will allow you to sign-in with a user name (= employee id) and you can create workflows.

You could then federate Azure AD and Azure AD B2C.

Your other option is to use an IDP that does allow authentication via an API eg Auth0.

Then you could have a custom login page that authenticates as appropriate.

Answer 2

Using Ping ID and other similar products is the fastest way to utilize SSO.