Understanding Azure: Identity Management in the Cloud using Single Sign-On
Tuesday, April 10, 2018
Azure is tricky. We like to think of it as a very large room, with a series of interconnecting doors. Choosing to go through one may feel like a big commitment, but our ‘Understanding Azure’ series on this blog may just help to break Azure down into manageable chunks. With companies facing new data protection regulations, preventing unauthorised access to corporate data and protecting the identities of staff is of vital importance. So what can you do in Azure that can help?
If your customers are fed up of trying to remember each and every password for the business apps they use on a day-to-day basis, single sign-on (SSO) is a feature that can help. It allows the user access to thousands of SaaS (Software as a Service) applications by signing in once on one single user account, as their login details remain the same everywhere they go. To use single-sign on, you must have Azure Active Directory (AD) enabled; for example, some may already be using AD with their Office 365 user license.
The Power of Three
There are three different ways Azure AD can be configured for your users; Federated, Password-based, and Existing. Federated is the most sophisticated option for SSO as it enables apps to redirect automatically to Azure AD for authentication instead of prompting for a password. Apps that support SAML 2.0, WS-Federation and OpenID Connect protocols will be able to use this method of sign in easily.
Password-based SSO can be supported by Azure AD for any SaaS app that uses HTML on sign-in. It retrieves the username and password from a secure location and enters the credentials on behalf of the user. It’s similar to the way Google Chrome stores passwords on your user setup under a Gmail account, so to speak, as it relies on having a browser extension enabled. This can be handled in one of two ways; as an administrator or the user managing credentials. Depending on the application that’s being used here, administrator management is best when the credentials are used by many members of staff, such as a distribution group.
For password-based SSO to work, Microsoft states that users browsers must be equal to:
- Internet Explorer 11 (Windows 7 or later)
- Edge (Windows 10 Anniversary Edition or later)
- Chrome (Windows 7 / MacOS X or later)
- Firefox 26.0 (Windows XP SP2 / MacOS x 10.6 or later)
With Existing SSO, the admin can create a link to the desired SaaS app and place it on the access panel for the selected users to find. As the Access Panel is a web-based portal it does not require users to have an active Azure subscription as it’s entirely separate to the Azure portal that administrators can use. Enabling Existing SSO will use either of the two AD configurations above so that your users can sign in to the app without hassle.
For more information on how to manage single sign-on for third-party SaaS apps, view Microsoft’s helpful guide, here. In our next few ‘Understanding Azure’ blogs, we’ll be exploring what else you can do to secure customer identities in the cloud.