I'm really struggling with these Azure AD concepts.
Here is my situation. I have a webapp with users belonging to Companies. I have a requirement that is to be able to authenticate those users through their Companies' Azure AD. Eventually, We would want to offer this in the Azure app gallery in the future.
I started registering the app through App Registration
, which gives me the information to integrate using OIDC. We would like to support both, OIDC
and SAML
protocols (I see that there are apps in the gallery offering both).
I tested OIDC out and it's working correctly, but when I want to develop SAML integration, the documentation says that it has to be done using an enterprise application
. I can't edit the SSO section of the enterprise app generated by my registration:
The single sign-on configuration is not available for this application in the Enterprise applications experience. MY APP was created using the App registrations experience.
so I tested creating a new enterprise app. Using this app I can do all the SAML flow correctly.
My questions here are:
- Do I have to connect the
registrated app
with theenterprise app
? How I do that? - Why I can't edit the SSO info in the enterprise generated app?
- If it's done through the registration app. Where do I set up the SAML endpoints, certificates etc.?
By reading the docs, I understand that enterprise apps are like "an instance of a registered app". That leads me to think that I should configure all in the registered app, but I can't see how to support SAML.
CodePudding user response:
As mentioned by @Srinath Menon in the above answer, If the application was registered using App registrations then the single sign-on capability is configured to use OIDC OAuth by default. In this case, the Single sign-on option won't show, For enterprise applications we have an option.
In both the ways applications are get registered in AAD, and there are two types of objects get created once the app registration is done.
The Application Object is what you see under App Registrations in AAD. The application object describes three aspects of an application: how the service can issue tokens to access the application, resources that the application might need to access, and the actions that the application can take. . App Registration are basically the apps local to the tenant/organization.
The Service Principal Object is what you see under the Enterprise Registration blade in AAD. Every Application Object would create a corresponding Service Principal Object in the Enterprise Registration blade of AAD. A service principal is created in each tenant where the application is used and references the globally unique app object. Enterprise apps blade shows global apps (other tenants) which can be configured and used within your tenant/organization.
Set up SAML-based single sign-on for an application
CodePudding user response:
No, there is no specific reason to connect the 2 apps.
The reason for this is by default "App Registration" is wired for OIDC Auth. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-saml-single-sign-on
This need to be done from the Enterprise apps for any SAML related functionality.