Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • Microsoft Windows Azure Active Directory

Microsoft Windows Azure Active Directory

Microsoft Windows Azure Active Directory opens opportunities for people and organizations to use applications anywhere based on cloud ubiquitous connectivity and open standard protocols such as OAuth, SAML-P, WS-Federation and REST API paradigm.

It is possible to realize the following use case scenario by combining Azure Active Directory (AAD) preview packages with those enabling technologies built-in.

Assume that the Identity Provider uses AAD as its identity Store with URL endpoints of Federation, Login, and OAuth.

1. The user from this Identity Provider attempts to access the Service Provider.

2. The Service Provider presents a Home Realm Discovery page for the user to select Home.

3. The user selects this Identity Provider and gets redirected to the Identity Provider with SAML-P flow.

4. The Identity Provider finds no session existed and delegates the authentication process to AAD login endpoint (With preview, you can leverage Office 365 login page).

5. AAD presents the login page for the user to provide the credentials and logs the user in.

6. AAD POST the WS-Federation security token to the Identity Provider which consumes the claims containing the authenticated user’s information.

7. The Identity Provider transforms the security token and POST it to the Service Provider.

8. Assuming the Service Provider is not able to map the authenticated to the identity account.

9. The Service Provider starts OAuth 2.0 JWT flow by talking to AAD to pull user data through directory Graph API.

10. Now the Service Provider provisions the account for the authenticated user.

 

Another possible use case scenario can be as follows:

1. The user from this Identity Provider attempts to access the Service Provider.

2. The Service Provider presents a Home Realm Discovery page for the user to select Home.

3. The user selects this Identity Provider and gets redirected to Identity Provider login process with standard OAuth 2.0 authorization code grant flow.

4. The Identity Provider finds no session existed and delegates the authentication process to AAD login endpoint.

5. AAD presents the login page for the user to provide the credentials and logs the user in.

6. AAD POST the WS-Federation security token to Identity Provider which consumes the claims containing the authenticated user’s information.

7. The Identity Provider requests OAuth access code on behalf of the authenticated user by delegating the OAuth authorization process to AAD OAuth endpoint.

8. Once the Identity Server gets access code and then redirects to the redirection URI passed by the Service Provider.

9. Now the Service Provider requests an access token from the Identity Provider using the authorization code.

10. The Identity Provider goes through the similar process by delegating OAuth process for requesting the access token.

11. Once the Identity Provider gets access token and then redirects to the redirection URI passed by the Service Provider.

12. The Service Provider uses access token talking back to resource server on the Identity Provider side for obtaining authenticated user information.