SAML SSO: Is AD Connect one-way connection enough?

Radiolontra 136 Reputation points
2021-03-02T16:35:21.057+00:00

Hi,
my local AD is connected to Azure directory using ADConnect, in a one-way connection.
Users are autenticating to 365 services using domain credentials.
No password writeback is available, and we're happy like this, at the moment.
From networking point of view, everything is very simple, and i dont have any exposed services required for the connection

Now, for a small subset of these users, i might want to buy Azure P1 licenses, and enable SAML authentication on a cloud service we use.

What i dont understand, from Microsoft architecture documentation, is if i can do it with my existing infrastructure o if i need to deploy more internet facing servers in order to setup a full federation, with bi-directional sync

Any advice will be appreciated!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,561 questions
0 comments
Accepted answer
  1. amon 121 Reputation points Microsoft Employee
    2021-03-02T17:29:06.803+00:00

    Hi @Radiolontra

    I'll divide the answer in to 3:

    1. Enabling SAML authentication for an app
    2. AD Federation
    3. Bi-directional sync
    4. SAML authentication using an identity in Azure Active Directory -
      When using SAML, you delegate the authentication and authorization to your app to an external identity which you trust, in this case Azure AD.
      Since your users are synced to Azure using ADConnect, you can use your AD identity to authenticate.
      Note: * this will not require any additional licensing and is available in the free Azure AD subscription *
      To authenticate an app, you need to create an application in you AD, enable SAML authentication and configure your app. It's actually pretty straight forward (unless you require special configuration) and here is a great explanation on how to set it up.
    5. Active Directory federation is an extension to your local environment, to enable federation for internet facing application. This document explains it better than I could. If you sent up ADFS, you will be able to federate you applications authentication (and authorization) to your local AD, but this will require you to set up ADFS and expose it to the internet.
    6. From how I read your question, bi-directional sync can mean either of two things :
      a. Password hash sync
      b. Seamless Single Sign-On

    Bottom line (if understood your question correctly) you can set up SAML authentication for your app in your current configuration.

    1 person found this answer helpful.
    0 comments

5 additional answers

Sort by: Newest
Most helpful Newest Oldest
  1. Radiolontra 136 Reputation points
    2021-03-03T14:09:32.533+00:00

    Thanks a lot everything is clear now!

    0 comments
  2. Radiolontra 136 Reputation points
    2021-03-03T10:00:32.34+00:00

    @VipulSparsh-MSFT you mean check licensing of the Non-Microsoft application i need to authenticate to Azure, right?

    Regarding password writeback, enabling it in AD Connect setup, means it is enabled for all users, and all of them require P1 licenses? Or i can also distinguish between who i want to be able to writeback and who dont?

  3. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2021-03-03T04:56:09.587+00:00

    @Radiolontra Single Sign on with a SAML app in Azure AD is free from Azure AD side but can be a premium service from the App side. So check which service plan from the application side you need to implement.

    You do not need ADFS for federation, (You will be able to do this with your existing infra) as in your scenario Azure AD would be your federation entity to the SAML App.
    You will need Atleast Azure AD premium license (P1) to be able to enable password writeback, where the password reset on cloud is synced back to on-prem (You need to run the Azure AD connect wizard for this and check the password writeback option)

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    1 person found this answer helpful.
    0 comments
  4. amon 121 Reputation points Microsoft Employee
    2021-03-02T22:30:57.743+00:00

    Hi @Radiolontra

    Regarding the pricing, check out the pricing here in the row "Single Sign-On (SSO) (unlimited)". You can have unlimited applications as long as they are cloud applications. As soon as you start integrating on premises apps you will require a license (take a look at footnote 2)

    Regarding password write back, that is the password hash synchronization - it's a two way sync (if I understood your setup correctly currently you have only 1 way from your on-prem to the cloud).

    1 person found this answer helpful.
    0 comments