0

My organization has their users in Active Directory, which is synced to an Azure Entra tenant (Tenant A). All of this is managed by another company. We have some web apps in a separate Azure Tenant (Tenant B) that we have full control over.

I'm a developer, and I have been tasked to setup a seamless "Single Sign On" for the web apps in Tenant B, so that users authenticate with Tenant A, and retrieve different properties from Entra about the user (email, SAMAccountName, etc.). We can request changes to Tenant A, but we would like to keep this to a minimum, so we don't have to request changes every time we want to setup SSO for a new web app.

I know this is possible, because we have a business partner who has already had this set up. It required creating an "Enterprise Application" in Tenant A, that pointed to a URL at "sso.businesspartner.com/myorganization". They can then send mails with a link that looks like "app.businesspartner.com/signin?org_code=myorganization", and when our users click it, they are already authenticated. We tried reaching out to this business partner to know how they set this up, but other than provide the SAML Metadata document used to create the Enterprise Application in Tenant A, they can't inform us.

In this setup, what would I need to setup in Tenant A and Tenant B to create a "sso.myorganization.com" web app, that can be used to authenticate, when users access "app1.myorganization.com", "app2.myorganization.com", etc.?

Improve this question
1
  • 2
    I've not done this through Entra, but it seems like you've already found the answer – the app works as a SAML2 consumer (SP) and it's configured to use Tenant A as a SAML identity provider? (Maybe with some Azure-specific extensions). I've seen it done in other platforms, with the 'sso.xxx.com' app being a SAML2 proxy (acting as IdP for local apps but relaying the auth requests to the real partner IdPs). Again, no idea if there's anything different in Azure/Entra.
    – grawity
    Commented Apr 22 at 13:29

1 Answer 1

Reset to default
0

All the apps that need this SSO functionality, are internal web apps that are on the same subdomain, e.g. some-app.internal.myorganization.com, a-different-app.internal.myorganization.com, etc.

This means that we can request to create an App Registration in Tenant A, with a Redirect URI that points to https://*.internal.myorganization.com/signin-oidc

This is not possible to do through the UI in the Azure portal, but can be obtained by editing the Manifest file for the App Registration. Also note that there is a constraint that wildcard URI's can only be used in App Registrations used to sign in accounts from work or school accounts.

In the manifest file, we also set "groupMembershipClaims": "All". This enables us to obtain Group IDs of all the Groups that the account is a member of.

This setup is not ideal, as we have to keep a copy of our Users and AD Groups in a database, and match this with the logged in user - but in this setup with our users in one tenant and web apps in another, it is the best we can do.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .