AAD – Azure Cloud-based SSO Authentification
Cloud-based users Authentication or Azure AD Single Sign-on with Password Hash Sync
This means enable the user to signed in with an Azure Active Directory account to a 3rd party SaaS application in Azure only. Azure AD collects and securely stores the user account information and the related password.
Azure AD can support any cloud-based app that has an HTML-based sign-in page. By using a custom browser plugin, AAD automates the sign-in process via securely retrieving application credentials such as the username and the password from the directory, and enters these credentials into the application sign-in page on behalf of the user. The credentials are stored in an encrypted state in the directory, and are only passed over HTTPS during the automated sign-in process.
Password-based single sign-on is for a web application that has an HTML sign-in page. Password-based SSO, also referred to as password vaulting, enables you to manage user access and passwords to web applications that don’t support identity federation. It is also useful for scenarios where several users need to share a single account, such as to your organization’s social media app accounts.
With this method, the password can be managed by the Administrator through secure application password storage. The user or group are assigned the rights to access the application and the credentials are obfuscated during the sign-in process. The user doesn’t need to know the password to access and the password can be rollover frequently for security. However, the password is still discoverable using web-debugging tools.
It also requires the use of a web extension or mobile app to be installed the first time you launch the application.
With password-based sign-on, your users need to sign in to the application the first time they access it. After that, Azure Active Directory supplies the username and password on behalf of the user.
- The user tries to access an application using the website of the application.
- If the user is not already signed in, the user is redirected to the Azure AD User Sign-in page.
- The user enters their username and password into the Azure AD sign in page, and then selects the Sign in button.
- Azure AD evaluates the response and responds to the user as appropriate. For example, Azure AD either signs the user in immediately or requests for Azure Multi-Factor Authentication.
- If the user sign-in is successful, the user can access the application.
Key points :
- Identity. Azure AD is the identity provider, responsible for verifying the identity of users and applications that exist in an organization’s directory, and ultimately issuing security tokens upon successful authentication of those users and applications.
- Apps location. An application that wants to outsource authentication to Azure AD must be registered in Azure AD, which registers and uniquely identifies the app in the directory.
- Code. Developers can use the open-source Azure AD authentication libraries to make authentication easy by handling the protocol details for you.
- Once a user has been authenticated, the application must validate the user’s security token to ensure that authentication was successful.
- Protocol. The flow of requests and responses for the authentication process is determined by the authentication protocol that was used, such as OAuth 2.0, OpenID Connect, WS-Federation, or SAML 2.0.
Linked single sign-on
Office 365 uses Azure Active Directory (Azure AD) to manage user identities behind the scenes. Office 365 subscription includes a free subscription to Azure AD so that you can integrate Office 365 with Azure AD. It enables application’s to be linked to the Office 365 or Azure AD access panel portals, and also enables additional reporting in Azure AD when the applications are launched there.
Azure AD single sign-on disabled
Choose Azure AD single sign-on disabled single sign-on mode if you are not yet ready to integrate this application with single sign-on with Azure AD, or are simply testing it out.
Federated single sign-on
Federated single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Azure AD using the user account information from Azure AD.
In this scenario, when you have already been logged into Azure AD, and you want to access resources that are controlled by a third-party SaaS application, federation eliminates the need for a user to be re authenticated.
Azure AD can support federated single sign-on with applications that support the SAML 2.0, WS-Federation, or OpenID connect protocols.