MDriven Turnkey offers solutions for authentication of users. We do so by making it easy for you to provide the configuration needed to integrate with federated authentication like Google, Microsoft and Facebook.
All these providers give the user an easy single sign on experience. But we cannot really be sure about what the user says about him/her self – that is entirely up to the user to decide. In enterprise scenarios we are used to own the authority and thus be sure about what users we have and be sure that the same user is not using many aliases etc.
The de-facto standard for maintaining this in the enterprise is Microsoft Active Directory.
Microsoft Active Directory is easily replicated to Azure AD – so that the controlled knowledge about the users in the enterprise can be consumed from outside the enterprise firewalls – but most likely maintained and updated from inside the company. This is increasingly popular way and needed for enterprise office 365.
Azure AD support the same basic standard as all federated authentication providers use; OpenID.
If the de-facto standard to solve enterprise Authentication=”who am I talking to” is MS-AD – it is also the de-facto standard for solving high level authorization=”what is this person allowed to do”. The Authorization is solved by placing AD-users in named security groups created in the AD.
What Turnkey now can offer is both Authentication using your specific Azure AD – and a way to access the security groups that the users reside in in this AD.
This is how you go about it:
1. Set up Azure AD – make sure you have a User, and a Security Group that the user belongs to.
2. Then you go to the Applications tab (green)
– Add a new Application (WebApplication) – your turnkey site that you want to connect to this AD
– make a note of the ClientID of this application:
3. We also need the identifier of your AD; this you find by selecting your AD(red) (you can have many in one Azure Account), click ViewEndpoints(Orange), copy the url (Green)
But we only want this part of the url: https://login.windows.net/<your-AD-Identifier> so the ending /saml2 we should remove
4. Login into LicenseAndTicket, find your site and paste the values for OpenID:
5. We must now send the new settings to our site:
6. Testing the application – we should now see a new button for logging in with openID:
7. Once I have logged in I should have the SecurityGroups for the user in the SysUserClaims:
I am going to use the debugger to verify:
I can see two SysUserClaims – and their values are guids. This is infact how we get the SecurityGroup from the Azure AD – we need to look up the Groups identity in Azure AD:
As you can see the guid for the group “accesstoam” is the same as for one of the SysUserClaims in our application.
And this enables me to create a AccessGroup in the model that checks that the current user is a member or not.