Reputation: 2313
Using Active Directory for Authentication locally and on Azure
I'm developing an application for my company's internal use. We wish the application to live on Azure and to utilize windows accounts for authentication. We are working on enabling Active Directory Federation Servers (ADFS) in order to synchronize our organizational AD to Azure AD. While that is being done, I am working on code responsible for determining who a user is. My main goal is to restrict the Admin controller to those users who belong to an active directory group. My impression is that ADFS should allow me to query this in Azure.
I have created a service that utilizes LDAP to determine whether or not the current user is in a particular group, and it works great locally. However, through some reading, I've determined that LDAP is not supported by Azure AD. Darn!
The preferred route to communicate with the Azure AD seems to be the Graph API. However, the graph API does not seem to be support by an enterprise/organizational AD.
My first thought solve this is to utilize dependency inject to switch the service being used based on the environment, but I'm thinking there has to be a better way.
What technology should I be using to interact with both on-premise Active Directory, as well as Azure Active Directory?
Upvotes: 1
Views: 808
Answers (2)
Reputation: 755
ADFS is a tool for identity federation and not directory sync. For directory sync you would use AADSync - http://www.microsoft.com/en-us/download/details.aspx?id=44225
The simplest way to achieve this is to use federation with ADFS and have ADFS populate the assertion with Role information. Set up a new relying party in ADFS and add the a new Issuance Transform Rule
Template: Send Group Membership as a claim Name: Admin claim Users Group: Choose your domain local group Outgoing claim type: Role Value: MyAdminRole
You can set up the federation very easily with Visual Studio 2012 or later or add an OWIN startup class such as the following:
public void ConfigureAuth(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions()
{
MetadataAddress = "https://adfs.domain.com/federationmetadata/2007-06/federationmetadata.xml",
Wtrealm = "urn:appid"
// SignInAsAuthenticationType = // This is picked up automatically from the default set above
});
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
}
Then all you need to do is add the Authorise attribute to your controllers:
[Authorize(Roles = "MyAdminRole")]
public class AdminController : Controller
{
...
}
For completeness, I will also add that once AADSync is configured and running, you can also use Graph API to obtain information about your users once it has been synced to Azure AD. User and Group updates can be delayed by upto 3 hours though.
HTH
Upvotes: 1
Reputation: 12452
We faced this same issue in our Azure implementation and discussed it at length with Microsoft. Currently there is no common method for directory queries. I believe Microsoft's plan is to eventually add GraphAPI to AD DS.
Another option, if you're using a claims-based authentication protocol like OpenID Connect, is to have the Identity Provider issue claims with the values needed for your authorization logic.
Upvotes: 4
Related Questions
- Forms and Azure AD Authentication
- ASP.NET MVC User Authentication through Azure AD ADAL
- Authenticating through Azure Active Directory in a Web App
- Using windows authentication to log on to Azure Active Directory
- Azure active directory with ASP.NET MVC
- Single Sign On with Azure Active Directory
- Authentication in an ASP.NET web application using Azure AD
- On-premise LDAP authentication for Azure ASP.Net MVC 5
- How to do both Azure Active Directory Single Sign On and Forms Authentications on ASP.NET MVC
- Azure Active Directory Forms Authentication