Base solution for your next web application
Open Closed

How does user sign-up\management work with Azure AD authentication? #7995


User avatar
0
dev1_premierpoint created

If we want our users to be able to sign-up with their Azure AD accounts (as opposed to standard ASP.Net Zero email accounts) how would we go about configuring that?

We want them to be able to sign-up with their Azure AD accounts and subsequently login with the same account.

Our ASP.NET Zero application will be multi-tenant, so a business customer of ours will be an ASP.NET Zero tenant and their Azure AD users will be users in that tenant in our application.

I've done some searching of your documentation and forum posts and haven't been able to find any discussions that really explain how this can be accomplished.

Thanks,

Jeff


6 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    AspNet Zero supports OpenId Connect, see https://docs.aspnetzero.com/en/aspnet-core-mvc/latest/Features-Mvc-Core-Social-Logins#openid-connect-login but this configuration must point to a single Azure AD account. So, multi tenant Azure AD Login is not supported by default.

    You can take a look at https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect sample and modify your app accordingly.

  • User Avatar
    0
    dev1_premierpoint created

    Ok, thanks for pointing me in the right direction.

  • User Avatar
    0
    dev1_premierpoint created

    I have been thinking about this topic and studying the sample you referred me to and have come to the conclusion that what I really want to do in my AspNetZero app is different than what I originally thought I wanted to do.

    I think that what I really need to do is use the Azure AD "Password SSO" integration pattern described here:

    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications

    With this approach, I am thinking that my SaaS customers will set up my application as an "Enterprise Application" in Azure AD and configure it to do Password SSO with my AspNetZero app.

    It appears that this approach will allow Azure AD to store the user name and password from my AspNetZero app in order to facilitate SSO.

    The only requirement for the AspNetZero SaaS app is that it supports forms authentication - which it does.

    Using this approach, my thinking as far as "onboarding" of a new tenant and that tenant's users is currently something like this:

    1. We manually add the new tenant in AspNetZero (or provide a new tenant registration page\process for self-service)
    2. We manually add the initial Admin user for the tenant (or provide an Admin user self-service registration process)
    3. The new Tenant Admin user would need to be an Azure AD admin as well and would then configure our AspNetZero app in their Azure AD tenant as an "Enterprise Application" and configure it for Password SSO.
    4. Then, the AspNetZero Tenant Admin can manually create AspNetZero Tenant Users in our AspNetZero application and those Tenant User's user names and passwords will be synchronized back to Azure AD for purposes of SSO with our AspNetZero app.

    Do you think I am on the right track here? If so, it doesn't sound to me like there is any work for me to do in AspNetZero to make it ready for this approach to SSO. Correct?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @dev1_premierpoint

    Sorry for my late reply. Probably you made some progress on this, I hope it is not too late.

    The 4 steps you have described already built in with AspNet Zero, so you don't have to develop anything related to that. But, I'm not sure about Azure AD "Password SSO" integration becasue I haven't tried it before.

    If you face any problems, we can try to help you.

  • User Avatar
    0
    dev1_premierpoint created

    Thanks.

    I don't think AspNetZero does #3 above as that would be a manual process that needs to be done in Azure AD by the customer. Otherwise, I agree with you that #1, #2, and #4 are things AspNetZero already does.

    Once, I test this out in our environment, I will post back here with the results. I am hoping it works without any code changes at all.

  • User Avatar
    0
    ismcagdas created
    Support Team

    @dev1_premierpoint, you are right about #3. I got it wrong at the first place sorry.