Identity providers

APPLIES TO: SDK v4

An identity provider authenticates user or client identities and issues consumable security tokens. It provides user authentication as a service.

Client applications, such as web applications, delegate authentication to a trusted identity provider. Such client applications are said to be federated, that is, they use federated identity. For more information, see Federated Identity pattern.

Using a trusted identity provider:

  • Enables single sign-on (SSO) features, allowing an application to access multiple secured resources.
  • Facilitates connections between cloud computing resources and users, decreasing the need for users to re-authenticate.

Single sign-on

Single sign-on refers to an authentication process that lets a user to log on to a system once with a single set of credentials to access multiple applications or services.

A user logs in with a single ID and password to gain access to any of several related software systems. For more information, see Single sign on.

Many identity providers support a sign-out operation that revokes the user token and terminates access to to the associated applications and services.

Important

SSO enhances usability by reducing the number of times a user must enter credentials. It also provides better security by decreasing the potential attack surface.

Azure Active Directory identity provider

Azure Active Directory (AD) is the identity service in Microsoft Azure that provides identity management and access control capabilities. It allows you to securely sign in users using industry standard protocols like OAuth2.0.

You can choose from two AD identity provider implementations which have different settings as shown below.

Note

You use the settings described here when configuring the OAuth Connection Settings in the Azure bot registration application. For more information, see Add authentication to a bot.

Azure AD v1

You use the settings shown to configure the Azure AD developer platform (v1.0), also known as Azure AD v1 endpoint. This allows you to build  apps that securely sign in users with a Microsoft work or school account. For more information, see Azure Active Directory for developers (v1.0) overview.

Property Description Value
Name The name of your connection <Your name for the connection>
Service Provider Azure AD Identity provider Azure Active Directory
Client ID Azure AD identity provider app ID <AAD provider app ID>
Client secret Azure AD identity provider app secret <AAD provider app secret>
Grant Type authorization_code
Login URL https://login.microsoftonline.com
Tenant ID <directory (tenant) ID> or common. See note.
Resource URL https://graph.microsoft.com/
Scopes
Token Exchange URL Used for SSO in Azure AD v2

Note

  • Enter the tenant ID you recorded for the AAD identity provider app, if you selected one of the following:

    • Accounts in this organizational directory only (Microsoft only - Single tenant)

    • Accounts in any organizational directory(Microsoft AAD directory - Multi tenant)

  • Enter common if you selected Accounts in any organizational directory (Any AAD directory - Multi tenant and personal Microsoft accounts e.g. Skype, Xbox, Outlook.com). Otherwise, the AAD identity provider app will verify through the tenant whose ID was selected and exclude personal MS accounts.

For more information, see:

Other identity providers

Azure supports several identity providers. You can get a complete list, along with the related details, by running the following Azure console command:

az bot authsetting list-providers

You can also see the list of these providers in the Azure portal when you define the OAuth connection settings for a bot registration app.

azure identity providers

OAuth generic providers

Azure supports generic OAuth2 which allow you to use your own identity providers.

You can choose from two generic identity provider implementations which have different settings as shown below.

Note

You use the settings described here when configuring the OAuth Connection Settings in the Azure bot registration application.

Generic OAuth 2

Use this provider to configure any generic OAuth2 identity provider that has similar expectations as Azure AD provider, particularly AD v2. You have a limited number of properties because the query strings and request body payloads are fixed. For the values you enter, you can see how parameters to the various URLs, query strings, and bodies are in curly braces {}.

Property Description Value
Name The name of your connection <Your name for the connection>
Service Provider Identity provider From the drop-down list, select Generic Oauth 2
Client ID Identity provider app ID <provider ID>
Client secret Identity provider app secret <provider secret>
Authorization URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Authorization URL Query String ?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}
Token URL https://login.microsoftonline.com/common/oauth2/v2.0/token
Token Body Body to send for the token exchange code={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret}
Refresh URL https://login.microsoftonline.com/common/oauth2/v2.0/token
Refresh Body Template Body to send with the token refresh refresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}
Scopes Comma separated list of the API permissions you granted earlier to the Azure AD authentication app Values such as openid, profile, Mail.Read, Mail.Send, User.Read, and User.ReadBasic.All