Reputation: 6253
How do I authenticate via Azure Active Directory with multi-tenant ASP.NET applications?
I have been doing some tests with Azure Active Directory trial license in my data center. Our company has our own hosting services and physical hardware, and for now we would like to keep it that way (though we may investigate moving it all to cloud services in future).
For now, we are trying to provide a single sign-on option for our customers using Azure AD. We already support this with CAS, but some customers are already using Azure AD internally and want to use this as the integrated Windows Authentication method with IIS & ASP.NET.
How do I go about setting this up in a way that supports multiple tenants? I am having trouble figuring out how to do this at the IIS level, and am finding the literature a bit lacking with respect to a clear answer.
As best I can tell, I would have to create a VM (separate Windows Server instance) for each customer, that is configured to authenticate via Azure AD and passes the windows auth credentials to IIS. This is kind of annoying.
Is there a way that I can continue to run IIS and ASP.NET web apps on my own server, but use Azure AD for Windows Authentication with ASP.NET, where each IIS web app instance has its own separate Azure AD configuration?
Can I do this at the web app root folder level? (Perhaps by setting the authorization for that folder to grant permissions to users in that customer's Azure AD?)
My goal, for example, given this Windows Server configuration:
- Host (IIS 8) "webhost"
- Web app "A",
c:\apps\a, authorized users include AAD "A" users - Web app "B",
c:\apps\b, authorized users include AAD "B" users
- Web app "A",
Users from customer A use this url: http://webhost/a
Users from customer B use this url: http://webhost/b
When user A browses to web app A, the integrated windows authentication should either challenge user for Azure AD "A" windows username & password, or, if already authenticated, show the user content from web app A.
When user B browses to web app B, the integrated windows authentication should either challenge user for Azure AD "B" windows username & password, or, if already authenticated, show the user content from web app B.
Thanks!
Upvotes: 3
Views: 7381
Answers (1)
Reputation: 7394
You can most definitely leverage Azure AD on apps running on your own server. You should not need to apply settings at the IIS level. When you use Azure AD the windows integrated auth would take place between the client and Azure AD endpoints - that results in a token that is sent to the app on a channel that does not require windows integrated authentication. That's what allows your apps to be hosted anywhere, there is no infrastructural constraint on the app itself. Take a look at this sample for instructions on how to set up one app to trust an Azure AD tenant. You can apply the same process to all your apps, pointing them to different AAD tenants. Once you have done that: you can skip the interstitial auth page and get windows integrated auth by following the instructions here. I recommend you first get the sample to work, and only then focus on this last part. Tackling both things at once could be hard.
Upvotes: 2
Related Questions
- Azure AD Multi Tenant Authentication - ASP.NET MVC 5
- Sign in with My Apps portal and Azure AD SSO in multi tenants application
- Multitenant webform application
- Azure Authentication with two tenants
- Azure Multi-tenant application
- MVC multitenant application with different authentications per tenant
- How can I sign in for a specific tenant in an azure multi-tenant application?
- How to login to multi-tenant application?
- Azure Active Directory | Multi-tenant Application
- ASP.NET Multi-tenant App on Azure - handling authentication and connection to separate tenant databases