Table of Contents
Azure Active Directory SSO Setup Guide
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service. This documentation describes steps to setup & test Azure AD based single sign-on facility on Learnexa.
Assumption: The working assumption is that the learning site will operate in “Private” mode, which will immediately force the Azure AD login page to appear for any unauthenticated visit.
Azure AD authentication - OAuth 2.0
OAuth 2.0 is one among the authentication protocols supported by Azure AD. Since we already use OAuth2 in Google apps SSO, we can integrate Azure AD inline to existing Google OAuth2 implementation.
In the process of authentication, Azure AD acts as an identity provider, responsible for verifying the identity of users and applications that exist in an organization’s directory. An application that wants to outsource authentication to Azure AD must be registered in Azure AD.
Authentication Workflow
Use case option 1:
Like Google sign on, user clicks on 'Sing in with Azure' and get redirected to Azure AD for authentication.
User Sign in:
Redirected to Azure AD:
Use case option 2:
Invoking subsite URL, will lead to landing/home page and auto redirects to Azure AD for authentication.
Landing on sub-site:
In a few seconds auto redirect to Azure AD for authentication:
Use case option 3:
Invoking subsite URL, will leads to Azure AD for authentication.
Azure AD for authentication first:
Returns to Learnexa after successful login:
Design
Configuration
- Add a new tab 'Azure' under Manage Site, Single Sign-On Settings
- The new tab will have an option to enable Azure SSO and to enter Site/Client specific Azure AD 'Client ID', 'Tenant ID' & 'Reply URL/URI'
User Creation Flow
User creation flow is very much similar to Google Apps.
- Show a link on the login screen of the learning site to login using Azure AD. Clicking on this will take the user to Azure login page if he is not logged. After login in it will redirect him to my learning page. In the background, Azure would have redirected the user to the learning site's callback URL and we would have created the account for him if there was no account already with this email.
- The user session is maintained through cookies in the same way as we do for Google SSO.
- If the user wants to login using Azure AD again, he can follow the same procedure as indicated in the first point.
- Users are created with the default privileges of the learning site. (Learners if default user creation privilege is set as learners).
Implementation
This implementation is based on gem 'omniauth-azure-oauth2'- https://github.com/KonaTeam/omniauth-azure-oauth2
Configuration
Using OmniAuth, add Azure AD as a new provider to Learnexa's OmniAuth::Builder. The provider requires the Azure AD client id and the Azure AD tenant.
Add the configuration in config/initializers/omniauth.rb
ActionController::Dispatcher.middleware.use OmniAuth::Builder do provider :azure_activedirectory, ENV['AAD_CLIENT_ID'], ENV['AAD_TENANT'] ...
Execution
In Sign-in page have an additional option 'Sign in with Azure AD'
While authenticating user, simply redirect to /auth/azureactivedirectory. From there, OmniAuth will take over. Once the user authenticates (or fails to authenticate), they will be redirected to /auth/azureactivedirectory/callback or /auth/azureactivedirectory/failure. The authentication result is available in request.env['omniauth.auth'].
Add routes
%w(get post).each do |method|
send(method, '/auth/:provider/callback') do
auth = request.env['omniauth.auth']
Database
Make use of the existing tables. This can have multiple entries for the same company but with different domains.
oauth_sso_settings
| ID | integer |
| company_id | integer |
| client_id | string |
| tenant_id | string |
| client_secret | string |
| provider | string |
| callback_url | string |
| created_at | date |
| updated_at | date |
users
| created_source | string |
companies
| azure_sso_enabled | boolean |
Creating a test web application in Azure AD
https://account.windowsazure.com/organization to sign up for Azure with a new organization. Once you've completed the process, you will have your very own Azure AD tenant with the domain name you chose during sign up. In the Azure Portal, you can find your tenant by navigating to “Azure Active Directory” in the left-hand navigation.
Registering an application Active Directory tenant
- Sign in to the Azure portal https://portal.azure.com/.
- On the top bar, click on your account and under the Directory list, choose the Active Directory tenant where you wish to register your application.
- Click on More Services in the left-hand nav, and choose Azure Active Directory.
- Click on App registrations and choose Add.
- Enter a friendly name for the application, for example 'Learnexa' and select 'Web Application and/or Web API' as the Application Type.
- For the sign-on URL, enter the base URL for the sample, which is by default https://www.learnexa.com/.
- For the App ID URI, enter https://your_tenant_domain.learnexa.com/, replacing <your_tenant_domain> with the domain of your Azure AD tenant (either in the form <tenant_name>.onmicrosoft.com or your own custom domain if you registered it in Azure Active Directory).
- While still in the Azure portal, choose your application, click on Settings and choose Properties.
- Find the Application ID value and copy it to the clipboard.
- In the same page, change the “Logout Url” to https://www.learnexa.com/Account/EndSession. This is the default single sign out URL for this sample.
- Find “multi-tenanted” switch and flip it to yes.
- Configure Permissions for your application - in the Settings menu, choose the 'Required permissions' section, click on Add, then Select an API. Then, click on Select Permissions and select 'Sign in and read user profile'.
Collecting the Azure Client ID and Tenant ID
A quick way to get the Tenant Id for your Office 365 / Azure AD tenant is to login to the Azure AD Portal, drill down to the directory and copy the ID from the URL.
https://manage.windowsazure.com/learnexa.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/<Tenant Id>/directoryQuickStart
Reference
https://github.com/KonaTeam/omniauth-azure-oauth2
https://github.com/AzureAD/omniauth-azure-activedirectory
https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-integrating-applications
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-developers-guide
Comments
- What is the difference between Usecase2 and Usecase3? They look the same.
- (A) No difference in the system workflow, but it differs in the user interface. Usecase #2 takes the user to the landing/home page and checks is the user authentic else redirect to Azure authentication. Whereas in the usecase #3 user will land on Azure login when they are not authenticated, then redirect to the Learnexa home page.