findcommonground.uk/_posts/2016-09-30-Azure-AD-Authentication-Cloud-Way.md

31 lines
2.4 KiB
Markdown
Raw Normal View History

---
layout: post
title: Azure Active Directory and Authentication the Cloud Way
subtitle:
category: howto
tags: [cloud, automation]
author: esmaeil_sarabadani
author_email: esmaeil.sarabadani@haufe-lexware.com
header-img: "images/bg-post.jpg"
---
Authenticating our users securely to our applications at Haufe has always been an important thing for us and these days with more and more cloud-based apps it is essential to be able to provide an authentication method in the cloud as a service. That is exactly where Azure Active Directory comes in to play.
Azure AD provides identity as a service and supports industry-standard protocols such as OAuth 2.0, OpenID Connect, WS-Federation, or SAML 2.0. It uses public key cryptography to sign keys and to ensure their validity. Azure AD issues security tokens which include information about the authenticated user/subject and their authorizations. These tokens are then used by applications to allow access for different tasks. [Here] you can get more information about the included information in a token.
One of the common questions I am often asked is if Azure AD is only suitable for internally-used applications to which our internal users need to authenticate?
The answer is clearly No. You can create multiple directories and use them for different applications. Of course our corporate Active Directory is one of them and is in constant synchronization with our on-premise AD database. It is also possible to design multi-tenant application (in terms of authentication) to be able to authenticate to different Azure AD directories.
To be able to use Azure AD you need to register your application in the target directory(ies). To register the application Azure requires the following information to be able to communicate with it:
-Application ID URI: The application identifier.
-Reply URL and Redirect URI: The location which Azure AD sends the authentication response to.
-Client ID: Application ID generated by Azure AD
-Key: Generate by Azure AD
You are then even able to set custom permissions to allow the application to access directory data and that is pretty much it.
I personally believe Azure AD is a very convenient way to authenticate our users to our applications. For any questions please do not hesitate to contact me.
[here]: <https://azure.microsoft.com/en-us/documentation/articles/active-directory-token-and-claims/>