Single Sign-on (SSO) is a feature that provides the ability to access all the applications and resources that an end user needs for their day to day job using a single set of secure credentials. Azure Active Directory (Azure AD) provides the capability to enable Single Sign-on for almost 3000 applications in the Azure AD Marketplace as well as custom applications. What type of apps and how many you can configure depends on the tier of Azure AD your organization is subscribed to. Anyone can obtain a free Azure AD tenant and all Office 365 tenants automatically provide a free tier Azure AD. The following chart details what can be deployed per tier.
|Free||Basic||Premium 1 P1||Premium 2 P2|
|10 apps per user (pre-integrated SaaS and developer-integrated apps)||10 apps per user2 (free tier + Application proxy apps)||No Limit (free, Basic tiers +Self-Service App Integration templates)||No Limit (free, Basic tiers +Self-Service App Integration templates)|
Types of Single Sign-on in Azure AD
There are three types of SSO options in Azure AD: Federated, Password Vaulting, and Linked.
Federated SSO enables applications to utilize Azure AD for user authentication instead of its own credentials. This is supported for applications that support protocols such as SAML 2.0, WS-Federation, or OpenID Connect. In this scenario, when you are already logged into Azure AD, and you want to access resources that are controlled by a 3rd party SaaS (Softtware as a Service) application, federation eliminates the need for a user to re-authenticate. However, Integrated Windows Authentication (IWA) is not supported. If not already signed into Azure AD you will be redirected to login to Azure AD.
Password-based SSO, or password vaulting, enables secure application password storage within Azure AD. This leverages the existing sign-in process provided by the application, but enables an administrator to manage the passwords and does not require the user to know the password. Additionally, a user can manage their own password as well as update it. This process is similar to how Azure AD Connect Password Synchronization works from a user perspective.
For password-based SSO, the following browsers are supported
- Internet Explorer 8, 9, 10, 11 -- on Windows 7 or later
- Chrome -- on Windows 7 or later, and on Mac OS X or later
- Firefox 26.0 or later -- on Windows XP SP2 or later, and on Mac OS X 10.6 or later
Linked SSO, formely Existing Single Sign On, uses an already configured SSO application, such as an application integrated with Active Directiry Federation Services (AD FS), but allows you to add a link to an application for the users to select and direct them to the application sign in page.
Ways to access your application
There are multiple ways to access your applications after they have been enabled for SSO and assigned to a user.
Office 365 Application launcher
For organizations that have deployed Office 365, users can browse to https://portal.office.com/myapps to view assigned 3rd party SaaS apps. Users can also pin apps so they show up on their dashboard.
The Access Panel is also available on mobile devices (Android 4.1 or later and iOS version 7 and later)
Azure AD supports using a direct URL link to access individual applications without having to go through Office 365 or the Access Panel. The URL is provided by Azure AD and can be provided to users or added to a webpage.
Direct sign on from Application page
Most applications support the ability to sign in directly from the application sign on page or even have automatic redirects as soon as you access the sign in page. Whether the automatic redirection occurs or not, the user will be taken to Microsoft’s login page for authentication directly against Azure AD.
Future with AAD SSO
A common trend with all the means to access SaaS applications enabled for SSO is the need to access the app from some form of a Microsoft page. This doesn’t necessarily translate to a true or seamless SSO experience for users. Currently in Preview (as of this writing), Microsoft is developing AAD Seamless SSO. Seamless SSO can be enabled with the latest version of Azure AD Connect with no additional licensing requirements and all Azure AD editions support it. Seamless SSO provides support for Integrated Windows Authentication (IWA) and will work the same way other applications use IWA.
The process is illustrated below:
- Azure AD challenges the client, via a 401 Unauthorized response, to provide a Kerberos ticket.
- The client requests a ticket from Active Directory (on-premises)
- Active Directory returns a Kerberos ticket to the client. The ticket is encrypted and includes the identity of the user currently signed in to the desktop.
- The client sends the Kerberos ticket to Azure AD.
- Azure AD decrypts the Kerberos ticket using the previously shared key. If successful, Azure AD either returns a token or asks the user to perform additional proofs such as multi-factor authentication as required by the resource. If the process fails for any reason the sign-in experience falls back to its regular behavior.
For more information about Azure Active Directory Single Sign on: http://www.enablingtechcorp.com/Solutions/Secureit!/AzureActiveDirectory.aspx
Or visit http://enablingtechcorp.com/Solutions/Secureit!.aspx to see how Enabling Technologies can help you enable secure productivity in the cloud.