question

ElliotStansfield-5757 avatar image
0 Votes"
ElliotStansfield-5757 asked bharathn-msft edited

Federated Azure AD - Student Authentication Query

I am contacting on behalf of a Multi-Academy trust who are wishing to setup their federated Azure AD to allow sign in to their Capita Reading Cloud library systems using O365 credentials. This MAT contains several schools all with their own separate RC website.

Their concern is that the student matching may inadvertently match against a student in another school when signing into Reading Cloud via SSO, is there a way to restrict this matching so that it only looks for students within their school?

azure-ad-connectadfsazure-ad-single-sign-onazure-ad-authentication-protocols
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reason that could have reduce the potential of answers... I didn't understand. Maybe a schema or something could help.

0 Votes 0 ·

@ElliotStansfield-5757 , Could you please confirm if the provided answer helped you out with your query ?

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics.

0 Votes 0 ·

1 Answer

shashishailaj avatar image
1 Vote"
shashishailaj answered

Hello @ElliotStansfield-5757 ,

If I understand correctly, you have a structure where you own a Multi-academy trust which has many schools as members. every school has Office 365 subscription which means all of them have a n azure AD/Office 365 tenant directory for their schools. Every school having their own website is fine but would not be related to this query. you are trying to setup Capita Reading cloud library system with the MA trust so that it can be accessed by any students office 365 credential.

You can certainly setup the same without an issue of two students with same name matching and creating conflict in the identity system. the students will use their office365 Id (like user@school21.com) and it will authenticate them within their office365 tenant . So if a user john@school21.com logs on , the user will be searched in directory of school21.com and will be considered different from john@school22.com .

Now coming back to the solution on how to achieve this. I am assuming that you have a separate Office365 subscription for Multi academy trust as well where you would setup Capta Reading Cloud library system application. I checked the existing Azure AD gallery and this is not available as a gallery application. Hence in this case you would need to add this to your MA trust's azure AD tenant as a multi tenant application. You can use azure AD app registration section in order to do that .

25051-image.png

Now you can add the Capita Library application details. If Capita library system can be used with Office 365 they would have a endpoint which will consume the token provided by Office 365 and that will be the redirect URI value which you need to add in the screen below. you also need to select the option Accounts in any organisational directory (any Azure AD directory - multitenant )

25061-image.png

24993-image.png

Now once the application is registered you will require to setup the authentication options. Here you will need help from the Capita application support team who can tell you how their application is designed and what options you need to select here as this depends on the application. Also they may need to change some option within their application to send the authentication request to login.microsoftonline.com/common endpoint .

24982-image.png

If they are selling their application to office 365 customers they would surely have this option for their customers. You would then need to setup homepage of the application on the branding section of the application you registered as shown below.

25072-image.png


In order for your users to know that they are accessing a trusted application , you need to update the publisher domain as a verified domain within your tenant else the user would get a consent screen which will show as publisher unverified creating confusion for your users. After this you would need to setup API permissions as per the requirement of the app . Generally an application needs the following permissions as shown in the pic below on Microsoft Graph API which is used to call Azure AD tenants in the backend by the application to access user data for the user logging in to the application. You also need to provide consent for users within your tenant for this application so that every user can sign in and is not prompted for providing consent every time they try to logon. You require to be logged in as a global administrator in order to consent for any permission tenant-wide. you should check this with the Capita support team on what details to add here.

25053-image.png

Once this all is done , you can access this app using the following url .

http://login.microsoftonline.com/common/oauth2/authorize?response_type=code&prompt=admin_consent&client_id=[client ID of the application you registered from azure portal]&state=12345&redirect_uri=[redirect URI set for Capita in the directory]

You can use this URL and share it with each of the Office365 global administrators of the schools and they can add this as a link on their website and grant admin consent for their respective schools. The first time the global admin tries to provide the admin consent for the application , a service principal for this application will be created in each of their Office 365 tenant which can be seen in the enterprise applications section of the tenant . Once admin has consented, they can decide whether they would like to restrict user assignment and user visibility for their app in https://myapps.microsoft.com portal or not .

25092-image.png

After that any first time login from any user will see a consent screen which will not be seen once the user consent and starts using the application.

consent_prompt_1b.png


The URLs would differ depending upon the consent and Capita support would know the details about this as they are ones who will have to tell whether the Office365 application will work this way or not . This would work unless Capita imposes any custom restrictions for multi-tenant access. Hope this helps you with the desired solution you seek. Hope the answer helps. If the information in this post helps you please do accept this as answer so that it helps other members of the community with this. In case you have any further queries or I have misunderstood your requirement, do let us know and we will continue to help you further on this.

Thank you.




image.png (34.1 KiB)
image.png (37.1 KiB)
image.png (9.1 KiB)
image.png (54.5 KiB)
image.png (52.3 KiB)
image.png (55.6 KiB)
image.png (60.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.