I am working on an ASP.NET core application for our hosted customers and need some information on authentication using Active Directory.
A bit of background on our setup:
- We have a single Azure tenant, that has multiple subscriptions within it. Each hosted client has two subscriptions within the tenant – one for Production and one for non-Production.
- Currently the application is deployed to a Windows Server VM in the same virtual network (vnet) and joined to the same Windows AD domain as the other virtual machines
- There are, at a minimum, three Windows AD domains involved
- The hosted (IaaS) domain,
- The management domain, which provides access to our staff across multiple clients/subscriptions
- The client on-premises domain, which provides access to client staff
- The hosted domain has trusts established with both the management and client domains
- There are no user accounts on the hosted domain, all users are in the management or client domains.
- Access to the application is granted through a group on the hosted domain, which has one or more client-domain group nested within it. This allows the client to manage access on their own without needing to contact us directly.
- The application needs to remotely access other VMs in the subscription (which requires it to be in the same vnet), as well as using managed identity to access Azure resources.
- We want to containerize the application to make deployments simpler across all client subscriptions, which requires a Linux container as Managed Identity does not work on Windows containers that are within a vnet.
- Login is currently handled with the
System.DirectoryServices and System.DirectoryServices.ActiveDirectory libraries, but as we have a need to reduce Windows-specific dependencies we are working to transition away from this.
The current logon flow is:
- Submit credentials
- Determine the appropriate domain (client or management domain)
- Authenticate credentials on that domain
- Retrieve group memberships for a user
- Retrieve roles for user
- Check if they are in the nested group using the "memberOf" LDAP attribute
- If not, check their group memberships
1. First using UserPrincipal.GetAuthorizationGroups() – this sometimes fails, as the trust relationship may or may not allow the application to retrieve this information.
1. If that fails, fall back to manually traversing each nested group recursively until the user is found or all branches have been ruled out
- If authorized, proceed to the application
Now (finally) to the actual issue:
We want to implement an SSO framework to simplify the login process. I have been trying to figure out how to configure Windows ActiveDirectory as an identity provider (IdP) – most of what I'm seeing is pointing towards setting up Entra CloudSync. But that leaves me with a couple questions:
- If we set up CloudSync to the hosted domain, will it be able to retrieve users on the management and client domains? Or will we need to add CloudSync to each domain?
- From what I can tell, CloudSync is per-tenant – so if we use that, would Client A potentially be able to sign on to a system at Client B? Or can we separate the clients so they only have access to their subscription(s)?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 60%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUK%3C/text%3E%3C/svg%3E)