Active Directory Federation Services support in MSAL for Java
Active Directory Federation Services (AD FS) in Windows Server enables you to add OpenID Connect and OAuth 2.0 based authentication and authorization to your Microsoft Authentication Library for Java (MSAL for Java) app. Once integrated, your app can authenticate users in AD FS, federated through Azure AD. For more information about scenarios, see AD FS Scenarios for Developers.
An app that uses MSAL for Java will talk to Azure Active Directory (Azure AD), which then federates to AD FS.
MSAL for Java connects to Azure AD, which signs in users that are managed in Azure AD (managed users) or users managed by another identity provider such as AD FS (federated users). MSAL for Java doesn't know that a user is federated. It simply talks to Azure AD.
The authority you use in this case is the usual authority (authority host name + tenant, common, or organizations).
Acquire a token interactively for a federated user
When you call
DeviceCodeParameters, the user experience is typically:
- The user enters their account ID.
- Azure AD briefly displays "Taking you to your organization's page", and the user is redirected to the sign-in page of the identity provider. The sign-in page is usually customized with the logo of the organization.
The supported AD FS versions in this federated scenario are:
- Active Directory Federation Services FS v2
- Active Directory Federation Services v3 (Windows Server 2012 R2)
- Active Directory Federation Services v4 (AD FS 2016)
Acquire a token via username and password
When you acquire a token using
UsernamePasswordParameters, MSAL for Java gets the identity provider to contact based on the username. MSAL for Java gets a SAML 1.1 token token from the identity provider, which it then provides to Azure AD which returns the JSON Web Token (JWT).
For the federated case, see Configure Azure Active Directory sign in behavior for an application by using a Home Realm Discovery policy