SAML SSO: Is AD Connect one-way connection enough?

Radiolontra 136 Reputation points
2021-03-02T16:35:21.057+00:00

Hi,
my local AD is connected to Azure directory using ADConnect, in a one-way connection.
Users are autenticating to 365 services using domain credentials.
No password writeback is available, and we're happy like this, at the moment.
From networking point of view, everything is very simple, and i dont have any exposed services required for the connection

Now, for a small subset of these users, i might want to buy Azure P1 licenses, and enable SAML authentication on a cloud service we use.

What i dont understand, from Microsoft architecture documentation, is if i can do it with my existing infrastructure o if i need to deploy more internet facing servers in order to setup a full federation, with bi-directional sync

Any advice will be appreciated!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,454 questions
0 comments
Accepted answer
  1. amon 121 Reputation points Microsoft Employee
    2021-03-02T17:29:06.803+00:00

    Hi @Radiolontra

    I'll divide the answer in to 3:

    1. Enabling SAML authentication for an app
    2. AD Federation
    3. Bi-directional sync
    4. SAML authentication using an identity in Azure Active Directory -
      When using SAML, you delegate the authentication and authorization to your app to an external identity which you trust, in this case Azure AD.
      Since your users are synced to Azure using ADConnect, you can use your AD identity to authenticate.
      Note: * this will not require any additional licensing and is available in the free Azure AD subscription *
      To authenticate an app, you need to create an application in you AD, enable SAML authentication and configure your app. It's actually pretty straight forward (unless you require special configuration) and here is a great explanation on how to set it up.
    5. Active Directory federation is an extension to your local environment, to enable federation for internet facing application. This document explains it better than I could. If you sent up ADFS, you will be able to federate you applications authentication (and authorization) to your local AD, but this will require you to set up ADFS and expose it to the internet.
    6. From how I read your question, bi-directional sync can mean either of two things :
      a. Password hash sync
      b. Seamless Single Sign-On

    Bottom line (if understood your question correctly) you can set up SAML authentication for your app in your current configuration.

    1 person found this answer helpful.
    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Radiolontra 136 Reputation points
    2021-03-03T14:09:32.533+00:00

    Thanks a lot everything is clear now!

    0 comments