Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,567 questions
SSO using Azure OpenID
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 69%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
PK
1
Reputation point
Hi, we have an Application A which requires login via email and password. Now there is a new feature in which when a user clicks a button inside App A it should SSO into an App B.
We have Azure AD at the organization level where we have created a new OIDC app where we can generate ID tokens etc. Now how should we SSO into App B ?
Should we use grant_type=password as mentioned here in this Doc to access graph API's
What are all options do we have for a seamless SSO?
{count} votes
-
Siva-kumar-selvaraj 15,551 Reputation points2021-09-28T21:49:18.417+00:00 @PK , Thanks for reaching out.
Could you please provides more information about your App A? is that webapp or native apps? are you using MSAL/ADAL library for authentication with Azure AD?
Here are detailed guidance on SSO between MSAL app** s and SSO between ADAL and MSAL apps . In addition to that
grant_type=password(known as ROPC flow) used with non-interactive flow in which user credential stored in code and pass them during authentication and Microsoft recommends you do not use the ROPC flow. Therefore, use more secure alternatives. You should only use ROPC flow when other more secure flows can't be used.Hope this helps
-
PK 1 Reputation point
2021-09-29T13:37:36.013+00:00 Thanks for responding, It is a Web App running on IIS. I think the ADAL library will be the one that we are going to use. The problem that we have is say user1 abc@xyz .com resides inside the Org . User 1 can log in to App A with an email and a password (not the Azure AD password). Whereas user2 is an external user to the Org say def@qwerty .com and they have a password to log in to App A. We can add the external domain to our Azure AD tenant.
Even if we use
grant_type=passwordwhich means AD password here. How would we make sure to grant access based on password for User1 because User1 has separate passwords on Azure AD and on App A.For External User (user 2), is there a way we can sync their passwords from our AppA to Azure AD (App A uses SQL database to store encrypted password) ?
Apologies, if my further questions are not clear.
Sign in to comment