Best practise: Multi-Ttenant / Multi-IDP

Guido Walter 1 Reputation point
2020-05-20T08:34:13.717+00:00

Hi,

i just joined some sessions regarding Identity Platform and i have a few questions regarding the best practise use of AAD / B2C:

What've learned that we can integrate an Multitenant AAD login besodes all the social IDPs. In our case we would have some SAML customers as well. What we don't want to do is to expose all the SSO login possibilities for different companies - so that we don't have a login screen full of buttons and the user has to chose the right IDP.

So is there a way to build in custom logic in that login flow? Also, i saw that we can claim the IDP provider for the login-ed user but can we get (in case AAD) the tenant id as well. This would be needed if we want to use the tenant id for seperating the tenants within our application.

Any help would be appreciated!

Thanks

Guido

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,639 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,458 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-05-20T09:10:10.427+00:00

    @Guido Walter , Thank you for reaching out. Let take you few steps back and lets discuss what this multitenant apps are. When we say multitenant app, it means the some organization has developed an application and registered that in their own Azure Tenant making it Azure AD protected, and then it has offered that application to be used in your tenant. In case of OAuth applications, when you try to signin to that application offered by the other organization, you land up on to a URL that looks like:
    https://login.microosft.com/common

    /common is called the common endpoint, which can accept the requests from any of the Azure AD tenants and then redirect it to the specific tenant for the user's authentication based on the user's inputs i.e his UPN.

    Similarly in case of SAML apps, you would be registering that SAML application in your AAD tenant. You can register that application either as a non-gallery application or if the application is present in our Azure AD apps gallery, then you can add it from the gallery as gallery application. The SAML apps usually supports SP initiated signon process, where the user gets a login URL from the application's side and user once on that URL, would get a login form. Now it depends on the application how they have coded it, but ideally you should find an option like "login with SSO" or "login with AAD organizational account". After selecting that option, the user would be redirected to AAD for login.

    When the application redirects the user to login to AAD, the application submits a SAML request (in case of SAML apps) to AAD and based on that SAML Request, the AAD prepares the SAML Response after the user successfully authenticates himself/herself with AAD. This SAML Response is sent by AAD to the application and Application consumes this SAML response.

    Next question is of the claims, now these claims are something that AAD pushes in the SAML response token and sends them to the application for consumption.

    Hope this helps. Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

  2. Guido Walter 1 Reputation point
    2020-05-20T10:11:24.607+00:00

    Hi,

    thank you very much for the quick answer. Understood what you said - much appriciated. But maybe i did not write my scanerio to the full extend - sorry for that!

    Lets say, i've build an application that runs on Azure. For this app i don't want to build my own identity magement but make use of the Identity Platform (AAD / B2C).
    The users for my app come from all different places ( like other Azuer AD tenants, companies that use SAML ) and i want to allow them to use SSO from their company or their favorite social provider. As my app also uses a tenant sructure, i need to make sure that i know, which tenant is a specific user belongs to.

    • Using this with Azure AD /common is easy, as the system redirects this to the specific tenant regarding the UPN. I can have a button - as you said - "Login with M365 Work Account"
    • When users want to use a socal idp, i also want to assign these to a tenant of my app. This could be done - as i understood- by requesting custom attributes when users create a .login. So i could ask them about some tenant identification in my app. These needs then to be approvesd by an admin of this tenant in my app. Is this correct?
    • To make things worse, some of the customers of my app have SAML Endpoints for their SSO (and i can't convince them to migrate to M365 ;-)). As i don't want to have a login button for all my SAML SSO customers, i suppose i need to build something like the /common endpoint myself to figure out where i need the user redirect to in order to let him login. This is where i struggle to think of something this incorporates the AAD/B2C flows.

    Hope this helps to make more clear what i'm onto :-)

    Thanks!

  3. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-05-20T12:18:19.77+00:00

    Hi @Guido Walter , As I understand from you question, you have 2 requirements:

    • Hide IDP buttons from signup/signin page for users who are using SAML IDP.
      You can redirect the users directly to a specific IDP (without requiring to click on IDP button) by providing domain_hint parameter. For example, you can use &domain_hint=facebook.com at the end of the login URL to redirect the users directly to facebook's authentication page.

    URL without domain_hint parameter which shows all IDP button:
    https://amsin.b2clogin.com/amsin.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_signup_signin&client_id=a7eb03a0-c31a-4e9c-b07c-345b94604b17&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms%2F&scope=openid&response_type=id_token&prompt=login

    URL with domain_hint parameter which directly takes to Facebook IDP:
    https://amsin.b2clogin.com/amsin.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_signup_signin&client_id=a7eb03a0-c31a-4e9c-b07c-345b94604b17&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms%2F&scope=openid&response_type=id_token&prompt=login&domain_hint=facebook.com

    Make sure, the value that you pass as domain_hint matches the domain name in the technical profile configured for that specific IDP.

    • Get the tenant ID of the users who have signed-up using Federated AAD.

    For this purpose, you can run below PowerShell Cmdlet:

    Get-AzureADUser -objectID OBJECT_ID_OF_THE_USER | select -ExpandProperty extensionproperty | fl

    In the response under userIdentities key, you can find the source tenant ID in Issuer value after http://login.microsoftonline.com/

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.