question

GuidoWalter-2453 avatar image
0 Votes"
GuidoWalter-2453 asked soumi-MSFT commented

Best practise: Multi-Ttenant / Multi-IDP

Hi,

i just joined some sessions regarding Identity Platform and i have a few questions regarding the best practise use of AAD / B2C:

What've learned that we can integrate an Multitenant AAD login besodes all the social IDPs. In our case we would have some SAML customers as well. What we don't want to do is to expose all the SSO login possibilities for different companies - so that we don't have a login screen full of buttons and the user has to chose the right IDP.

So is there a way to build in custom logic in that login flow? Also, i saw that we can claim the IDP provider for the login-ed user but can we get (in case AAD) the tenant id as well. This would be needed if we want to use the tenant id for seperating the tenants within our application.

Any help would be appreciated!

Thanks

Guido

azure-active-directoryazure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered GuidoWalter-2453 commented

@GuidoWalter-2453, Thank you for reaching out. Let take you few steps back and lets discuss what this multitenant apps are. When we say multitenant app, it means the some organization has developed an application and registered that in their own Azure Tenant making it Azure AD protected, and then it has offered that application to be used in your tenant. In case of OAuth applications, when you try to signin to that application offered by the other organization, you land up on to a URL that looks like:
https://login.microosft.com/common

/common is called the common endpoint, which can accept the requests from any of the Azure AD tenants and then redirect it to the specific tenant for the user's authentication based on the user's inputs i.e his UPN.

Similarly in case of SAML apps, you would be registering that SAML application in your AAD tenant. You can register that application either as a non-gallery application or if the application is present in our Azure AD apps gallery, then you can add it from the gallery as gallery application. The SAML apps usually supports SP initiated signon process, where the user gets a login URL from the application's side and user once on that URL, would get a login form. Now it depends on the application how they have coded it, but ideally you should find an option like "login with SSO" or "login with AAD organizational account". After selecting that option, the user would be redirected to AAD for login.

When the application redirects the user to login to AAD, the application submits a SAML request (in case of SAML apps) to AAD and based on that SAML Request, the AAD prepares the SAML Response after the user successfully authenticates himself/herself with AAD. This SAML Response is sent by AAD to the application and Application consumes this SAML response.

Next question is of the claims, now these claims are something that AAD pushes in the SAML response token and sends them to the application for consumption.

Hope this helps. Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.






· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please see the next answer - as the comments are limited to 1000 characters

0 Votes 0 ·
GuidoWalter-2453 avatar image
0 Votes"
GuidoWalter-2453 answered soumi-MSFT commented

Hi,

thank you very much for the quick answer. Understood what you said - much appriciated. But maybe i did not write my scanerio to the full extend - sorry for that!

Lets say, i've build an application that runs on Azure. For this app i don't want to build my own identity magement but make use of the Identity Platform (AAD / B2C).
The users for my app come from all different places ( like other Azuer AD tenants, companies that use SAML ) and i want to allow them to use SSO from their company or their favorite social provider. As my app also uses a tenant sructure, i need to make sure that i know, which tenant is a specific user belongs to.

  • Using this with Azure AD /common is easy, as the system redirects this to the specific tenant regarding the UPN. I can have a button - as you said - "Login with M365 Work Account"

  • When users want to use a socal idp, i also want to assign these to a tenant of my app. This could be done - as i understood- by requesting custom attributes when users create a .login. So i could ask them about some tenant identification in my app. These needs then to be approvesd by an admin of this tenant in my app. Is this correct?

  • To make things worse, some of the customers of my app have SAML Endpoints for their SSO (and i can't convince them to migrate to M365 ;-)). As i don't want to have a login button for all my SAML SSO customers, i suppose i need to build something like the /common endpoint myself to figure out where i need the user redirect to in order to let him login. This is where i struggle to think of something this incorporates the AAD/B2C flows.

Hope this helps to make more clear what i'm onto :-)

Thanks!

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@GuidoWalter-2453, Thank you sharing the details, though I am still little bit confused. I am trying my best to share my answers based on my understanding here.

If you are developing a SAML App, and register it with your own AAD tenant, then users (normal users of your tenant + guest users presents in your tenant) are the only ones who can access this application.
If you have registered this SAML app of yours in your Azure B2C tenant, then any and every user in this world with a valid email id or social network ID would be able to login to your app.

The above are the two major points between AAD tenant and a B2C tenant.

Not sure if I was able to make myself clear here. But if I fail to explain you here, I would request you to drop me an email on azcommunity[at]microsoft[dot]com and we can try understand this in a deeper way and help you further.
When you send the email, make sure you mention this thread's url there so its easier for me to identify and help you quickly.

0 Votes 0 ·

@GuidoWalter-2453, I wanted to followup and wanted to understand if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @GuidoWalter-2453, As I understand from you question, you have 2 requirements:

  • Hide IDP buttons from signup/signin page for users who are using SAML IDP.
    You can redirect the users directly to a specific IDP (without requiring to click on IDP button) by providing domain_hint parameter. For example, you can use &domain_hint=facebook.com at the end of the login URL to redirect the users directly to facebook's authentication page.

URL without domain_hint parameter which shows all IDP button:
https://amsin.b2clogin.com/amsin.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_signup_signin&client_id=a7eb03a0-c31a-4e9c-b07c-345b94604b17&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms%2F&scope=openid&response_type=id_token&prompt=login

URL with domain_hint parameter which directly takes to Facebook IDP:
https://amsin.b2clogin.com/amsin.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_signup_signin&client_id=a7eb03a0-c31a-4e9c-b07c-345b94604b17&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms%2F&scope=openid&response_type=id_token&prompt=login&domain_hint=facebook.com

Make sure, the value that you pass as domain_hint matches the domain name in the technical profile configured for that specific IDP.

  • Get the tenant ID of the users who have signed-up using Federated AAD.

For this purpose, you can run below PowerShell Cmdlet:

Get-AzureADUser -objectID OBJECT_ID_OF_THE_USER | select -ExpandProperty extensionproperty | fl

In the response under userIdentities key, you can find the source tenant ID in Issuer value after http://login.microsoftonline.com/


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@GuidoWalter-2453 Have you had a chance to test this out?

0 Votes 0 ·