Moving from ADFS > ADFS to AzureAD > AzureAD for claim provider trust

Turpin, James 21 Reputation points
2021-02-17T10:42:29.313+00:00

We have ADFS on-prem with a relying party trust to our on-prem web app (in our company A).
We grant access to the on-prem app to company B, by adding a claims provider trust to company B (they use ADFS) and passing / transforming claims into the RP - works great.

We wish to use our AzureAD now to do this (company A) and Company B also have Azure AD they wish to use.

My question is, how do we create a claims provider trust in Company A AAD to Company B AAD to achieve the same / test this out?

We tried to add company B's AAD SAML info using external identity providers > new SAML IDP but it errorr'd saying company B is running AAD....
Is there another way we need to do the claim provider trust we are missing?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,215 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,186 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,591 Reputation points
    2021-02-20T12:06:13.863+00:00

    Hello @Turpin, James ,

    Thanks for reaching out and sorry for delayed response.

    You don't have to create claims provider trust, because when your partner organization own an Azure Active Directory account or a Microsoft Account then you could leverage either of way to achieve your scenario.

    In order to allow user from Tenant-B to access Tenant-A's application both methods can be used.

    Business-to-business (B2B) collaboration:

    Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications

    Example: If you create a single tenant app, you need to invite users of Company-B to Tenant-A. In this case, Administrator of Tenant-A can take the authorization decisions by selecting which users should and shouldn't be assigned to the application.

    To learn more about B2B collaboration: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b

    Multi-Tenant App concept:

    If you're providing an app as a service and you don't want to manage your customers' user accounts, a multitenant app is likely the right choice for you. When you develop applications intended for other Azure AD tenants, you can target users from a single organization (single tenant), or users from any organization that already has an Azure AD tenant (multitenant applications).

    Example: If you create a Multi-Tenant App in Company-A and any user from Company-B tries to access that application, user will be prompted with a consent prompt. Once the consent is provided, a service principal corresponding to the app in Tenant-A will be created in Tenant-B. User of Tenant-B will be able to access the application. You can search the service principal under Tenant-B's enterprise applications blade by using the App ID. In this case, Administrator of Tenant-B needs to take authorization decisions by going to the properties of the service principal and set User assignment required to Yes and then assigned required set of users.

    To learn more about Multi-Tenant App: https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/

    You can decide based on what fits the best in your scenario. Hope I have covered all the aspects of your question.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments