question

PK007 avatar image
0 Votes"
PK007 asked Deva-MSFT edited

SSO using Azure OpenID

Hi, we have an Application A which requires login via email and password. Now there is a new feature in which when a user clicks a button inside App A it should SSO into an App B.

We have Azure AD at the organization level where we have created a new OIDC app where we can generate ID tokens etc. Now how should we SSO into App B ?

Should we use grant_type=password as mentioned here in this Doc to access graph API's

What are all options do we have for a seamless SSO?



azure-active-directoryazure-ad-msalazure-ad-openid-connectazure-ad-adal-deprecation
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


@PK007, Thanks for reaching out.

Could you please provides more information about your App A? is that webapp or native apps? are you using MSAL/ADAL library for authentication with Azure AD?

Here are detailed guidance on SSO between MSAL app s and SSO between ADAL and MSAL apps** . In addition to that grant_type=password (known as ROPC flow) used with non-interactive flow in which user credential stored in code and pass them during authentication and Microsoft recommends you do not use the ROPC flow. Therefore, use more secure alternatives. You should only use ROPC flow when other more secure flows can't be used.

Hope this helps


0 Votes 0 ·
PK007 avatar image PK007 sikumars-msft ·

Thanks for responding, It is a Web App running on IIS. I think the ADAL library will be the one that we are going to use. The problem that we have is say user1 abc@xyz.com resides inside the Org . User 1 can log in to App A with an email and a password (not the Azure AD password). Whereas user2 is an external user to the Org say def@qwerty.com and they have a password to log in to App A. We can add the external domain to our Azure AD tenant.

Even if we use grant_type=password which means AD password here. How would we make sure to grant access based on password for User1 because User1 has separate passwords on Azure AD and on App A.

For External User (user 2), is there a way we can sync their passwords from our AppA to Azure AD (App A uses SQL database to store encrypted password) ?

Apologies, if my further questions are not clear.

0 Votes 0 ·

0 Answers