connect@mismosystems.com +91 11 4576 8059
Open hours : Mon - Fri : 10:00 - 17:00

Azure Single Sign-On: A Master Key in Disguise

Apparently, many designers and developers believe secure passwords must look complicated. The most secure ones for them seem to be like” #sK8/a_C%eD8) “. This looks like hell and is a mess to create.

Would you like to create such a password? I wouldn’t. Instead, I would probably risk it to write down this password on a note or use the same password several times. Maybe I would use a password manager. None of these is a great idea. Therefore, such complex requirements for passwords are a real problem for privacy and IT security.

But we need these passwords! At least this is, what some guides tell us. What if I told you that you might not need to remember these complex passwords ever again. What if I told you that there was a concept out there that help you access your accounts without ever actually typing in your username or password, ever again.

The concept of Single Sign-On is a powerful one. The premise is that it can enable end users to connect to virtually any IT resource that their organisation has provided them access to through their core identity. Unfortunately, as most IT admins know, this kind of a setup with one platform has historically been far from reality. However, a SaaS Single Sign-On (SSO) solution recently emerged that can solve this challenge. This innovative solution is called “Azure Single Sign-On”.

Single sign-on means being able to access all the applications and resources that you need to do business, by signing in only once using a single user account. Once signed in, you can access all the applications you need without being required to authenticate (for example, type a password) a second time.

As use of SaaS applications increases within enterprises, there is a danger that productivity and user experience will suffer. If your customers use more than one SaaS application, and each application requires users to have different usernames and passwords, two types of problems can develop:

1. An individual user could be using the same username and password everywhere. This can lead to compromised passwords if one application gets attacked.

2. An individual user could be maintaining different user names and passwords. This can lead to increased calls to the help desk for password resets.

This will limit adoption of your application within your customer’s organization.

Many organizations rely upon software as a service (SaaS) applications such as Office 365, Box and Salesforce for end-user productivity. Historically, IT staff needs to individually create and update user accounts in each SaaS application, and users must remember a password for each SaaS application.

Azure Active Directory extends on-premises Active Directory into the cloud, enabling users to use their primary organizational account to not only sign in to their domain-joined devices and company resources, but also all of the web and SaaS applications needed for their job.

So not only do users not have to manage multiple sets of usernames and passwords, their applications access can be automatically provisioned or de-provisioned based on their organization group members, and also their status as an employee. Azure Active Directory introduces security and access governance controls that enable you to centrally manage users’ access across SaaS applications.

The architecture of the integration consists of the following four main building blocks:

1. Single sign-on enables users to access their SaaS applications based on their organizational account in Azure AD.

2. User provisioning enables user provisioning and de-provisioning into target SaaS based on changes made in Windows Server Active Directory and/or Azure AD.

3. Centralized application access management in the Azure portal enables single point of SaaS application access and management, with the ability to delegate application access decision making and approvals to anyone in the organization

4. Unified reporting and monitoring of user activity in Azure AD

Azure AD supports three different ways to sign in to applications:

1. Federated single sign-on enables applications to redirect to Azure AD for user authentication instead of prompting for its own password.

2. Password-based single sign-on enables secure application password storage and replay using a web browser extension or mobile app. Password-based single sign-on uses the existing process provided by the application but enables an administrator to manage the passwords and does not require the user to know the password.

3. Linked single sign-on enables Azure AD to leverage any existing single sign-on that has been set up for the application but enables these applications to be linked to the Office 365 or Azure AD access panel portals, and also enables additional reporting in Azure AD when the applications are launched there.

DEPLOYMENT

1. Using the Azure AD application gallery

The Azure Active Directory Application Gallery provides a listing of applications that support single sign-on with Azure Active Directory.

In Azure Portal, go to Azure Active Directory,

clip_image002

From the left-hand section, select Enterprise Application,

clip_image004

From the newly opened page, select New application to add an application to configure Single Sign-On, (in this example, Twitter has been used as the app on which SSO will be implemented)

Note: Different apps can have different steps, please contact us if you have any queries.

clip_image006

Note: If your application is not found in the Azure AD application gallery, then you have these options:

· Add an unlisted app you are using: Use the Custom category in the app gallery within the Azure portal to connect an unlisted application that your organization is using.

· Add your own app you are developing If you have developed the application yourself, follow the guidelines in the Azure AD developer documentation to implement federated single sign-on

· Request an app integration: Request support for the application you need using the Azure AD feedback forum.

2. After selecting the app, select Configure Single Sign-On or click on Single sign-on from the application’s left-hand navigation menu (as pointed in the screen). The next screen presents the options for configuring single sign-on.

clip_image008
clip_image010

Depending upon the kind of application you select, you will be presented by the different methods through which you can implement SSO. Namely:

· SAML-based single sign-on: choose the SAML-based Sign-on single-sign on mode if your application supports the SAML or OpenID Connect protocols

· Password single sign-on: choose the Password-based Sign-on single sign-on mode if your application renders an HTML username and password field and you want to store that username and password securely to be replayed to the application later

· Existing single sign-on: Select this option to add a link to an application to your organization’s Azure AD Access Panel or Office 365 portal. You can use this to add links to custom web apps that currently use Azure Active Directory Federation Services (or other federation service) instead of Azure AD for authentication.

· Linked Single sign-on: choose the Linked Sign-on single sign-on mode if you have an application that is already connected with an existing single sign-on solution, or if you just want to publish a simple link for your users in their Application Access Panel or Office 365 application launcher

3. Next assign accounts that can access the application. Select the account and group that you would like to have access to the application.

clip_image012

4. You will now be required to enter the credentials to the Twitter account on behalf of the user. When the user accesses Twitter via the Dashboard, they will be automatically logged in to the account. The user never sees the credentials, therefore protecting your SaaS application from misuse.

When you add a new user, click on the Assign Credentials to add sign-in credentials for the user, as shown below:

clip_image014

Click Ok and the Assign to save the credentials for the particular user.

5. Twitter has now been added to the list of SaaS applications my company uses.

Now when the users access the my application portal using myapps.microsoft.com, a list of assigned SaaS applications will be listed which will include the Twitter app.

clip_image016

In our example, when the user clicks the Twitter icon, they will be logged in to the company Twitter account automatically.

If our user leaves the company we can easily disable their corporate access to Twitter, preventing any unwanted content from the company account.

In a few short steps, you are now able to provide a quick and easy way for your users to log on to the company applications they need access to (and just as easily restrict access) in a simple easy-to-use web interface. Azure Active Directory is a powerful identity and management tool that can easily be overlooked in the Azure offering.

Related Posts

Amazon CloudFront

Amazon CloudFront is a brisk Content Delivery Network (CDN) service that safely transfers...

Amazon Web Services (AWS)

Amazon Web Services (AWS) is a subsidiary of Amazon.com which provides on-demand cloud...

AWS Management Console

AWS is one of the largest cloud service providers in the market. There...

Leave a Reply

×