Azure AD to authenticate to on-premises applications (token transformation service and similar)

Y B 1 Reputation point
2021-07-23T12:24:17+00:00

I am trying to get Azure AD to be the Identity Provider for corporate users to authenticate to AAD and access on-premises applications from home, from a corporate-owned virtual (and physical) desktop, preferably using SSO, and optional MFA. The on-premises applications require one or more of Kerberos, OIDC, and SAML tokens/tickets. Currently, Hybrid AD Connect is enabled. It is likely that a token transformation service would be required for at least some applications. Assume that the corporate devices may not necessarily be part of the internal network all the time.

Looking for suggestions on standard solution patterns, including third party and open-source products.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,492 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shashi Shailaj 7,611 Reputation points Microsoft Employee
    2021-07-27T18:58:55.863+00:00

    @Y B ,

    Apologies for the delay in providing the inputs on this. As per the information you have provided , its classic Hybrid scenario where the users can logon from physical Office location or from external network (work-from-home scenarios). As you already have Azure AD connect in Hybrid mode setup so the users/devices are already synced. If you have clients as Windows 10 v1803 and above, you should be able to implement many new features like windows hello for business which helps in keeping provide the user a secure authentication way .

    You have not mentioned if you are using Office 365 and have O365/M365 licenses in your environment . As you have Azure AD connect hybrid , I am assuming that you have AD tenant and O365 licenses already. If the goal is just to have basic SSO working , you can setup easiest solution that comes with Windows Servers called ADFS. This is what you have mentioned as Token transformation service. You can use Active directory federation service or ADFS in your on-prem environment . Enable it to be exposed over the internet either via a firewall or a web application proxy so that it can receive authentication requests. you would need to buy a public certificate to use with ADFS for service communication and a public domain to use with the same. ADFS 2019 supports OpenID , oAUth , SAML protocols etc. For the applications that use Kerberos in on-prem environment , it will work normally . Anything that use oAuth, OpenID can be integrated with ADFS and added to it as a relying party app. Since you already have apps using oAuth , OpenID so I think you already have a federation service in place. You would have to defederate those application from there and federate it with ADFS.

    ADFS can be federated with Office 365/Azure AD . You can either use the Connect-MsolService module to setup federation on ADFS or use the AD connect in order to manage or setup Federation using Azure AD connect .

    Alternatively you can use Okta , Ping identity , Auth0 etc. as well depending upon your budget. If you are looking for something open source you can try to setup IdnetityServer or Forgerock OpenAM but all these have their own challenges. The capabilities in these might differ. I have not implemented them hence I cant not comment in detail about capabilities hence you may need to test it before implementing .

    If the user can be external to company network then I would suggest to use Conditional access capabilities that you can get if you already have Azure AD premium license or EMS license in order to secure access to your applications .

    As for third party additions to the solution , you could use any top Firewall device vendor for setting up a perimeter network . Try to find the one which supports Azure AD authentication. You may need to create a VPN connection which is available for users outside corporate network in order to access internal application which use kerberos . There is another way to expose those applications(Kerberos) over the internet so that user can access it from outside the network securely . It is through using Azure AD application proxy.

    For any app that uses Modern authentication (oAuth, OpenID , SAML etc.) it can use ADFS , okta , OpenAM etc. as mentioned above because those federation services would always have an external public endpoint facing endpoint where any application which is accessible through the internet can reach and remote users can work without the need to VPN in to the corp network. However if Azure AD application proxy is not needed in your case as you do not have any application published over the open internet then you will have to use VPN .

    I have included some links and would strongly suggest you to check the same. I hope this provides you enough clarifications to your road query . It is hard to point out to a specific solution . But mostly the details provided are the things which everyone keeps in mind while implementing SSO . If the information provided helped, do accept the same as answer in the benefit of the community and in case we have misunderstood the scenario and you still have any further query , please let us know and we will be happy to help .

    2 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.