Back

Setting up Single Sign-On (SSO) in Azure AD (VIDEO)

Setting up SSO in Azure Active DirectorySSO in Azure active directory is the perfect balance of convenience and security Enabling it remove...

4 min read
Published on Nov 2, 2018
Setting up Single Sign-On (SSO) in Azure AD (VIDEO)

Setting up SSO in Azure Active Directory

SSO in Azure active directory is the perfect balance of convenience and security. Enabling it removes an attack surface, since your employees do not need to remember extra passwords, while their daily routine is streamlined, as they are seamlessly logged into their applications.

Why Use SSO?

  • Simplicity - Provides a seamless experience for your employees, faster access to their applications, and ends password fatigue.
  • Security - No more weak or duplicated password, single point of control, a unique and secure identity.
  • Compliance - Helps admins increase control over the data users have access to and aids in HIPAA, SOX and NIST compliance.

How Single Sign On Works - DiagramHow Single Sign-On Works:

Instead of using a username / password combination, SSO uses a central trusted source of authentication to provide tokens that give access to other applications.

  1. User tries to log into an application from their browser.
  2. The application generates a SAML request and sends it to the user’s browser.
  3. The user’s browser sends the request to the identity provider.
  4. The identity provider authenticates the user.
  5. The identity provider generates a SAML response (token) and sends it back to the user’s browser.
  6. Browser sends token to the application.
  7. The application verifies the tokenized credential and grants access.

 

Authentication Scenarios of SSO Applications?

  • 1.None

    • Essentially mandating the use of shared passwords on apps.

    2.Per User Password Extension/Addon (LastPass, Roboform, native browser)

    • Typical – User has combination of personal and work passwords.

    3.Enterprise Password Extension/Add-on (Centralized management)

    • Can assign credtials to user or groups
    • Allows changing of shared account credential to happen rapidly

    4.SAML or Native Azure AD/Office 365 authentication

    • Note – Only option that can stop sign-on of app when user is disabled in Azure AD.

Portal Scenarios

  1. None – Users get invites to apps in their email
  2. Intranet Webpage – Catalog of links on a singe page, or broken down in department (if lucky).
  3. Enterprise Portal – Users see ONLY web apps that they have access to.
  4. Unified Portal – Users see web apps, intranet apps (proxied internally, authenticated first in cloud), and Remote Desktop apps on one unified portal.

Provisioning Scenarios of SSO

  1. Manually – Create user in App on onboarding.  Delete user on offboarding.
  2. SAML Add - Apps that provision user on first logon (if configured in app) will take the first/last name in the SAML request and use that to provision a new account.
    1. Note 1 - This is rarely with app vendors, so not a typical scenario.
    2. Note 2 - While user can’t logon, their account still exists in the app isolated admin portal. Per user fees charged.
  3. SCIM – Provisioning and De-provisioning (user account deleted from app after 30 days of being deleted on Azure AD).
    1. Note - Only about 20 vendors currently supporting (Salesforce, G Suite, Docusign, etc).

The Admin Experience

  • Fast to onboard and offboard users.
  • Time spent configuring SSO with vendors is saved during user tasks.
  • Vastly improved security, compliance and monitoring. (see previous Tech Talks from Matt Soseman and Kevin Martins)
  • Auto provisioning with SCIM (Simple Cloud Identity Management)

The SSO Demo

(Skip to Video)

  1. Agile IT End User Experience
  2. MyApps Enterprise App portal settings in Azure
  3. Tour of App Examples in Azure:
    1. Individual Passwords End User Experience (Zapier)
    2. Shared Passwords distributed to group (No end user demo)
    3. SAML Logon (Bonusly)
    4. SAML Logon (Expensify) – Not all app vendors properly support “SSO”.  It’s more like 1.5 vs single (1) sign on.
    5. SAML + SCIM (Docusign)
    6. Internal Application Proxy (PRTG)

About Agile IT Tech Talks

Agile IT Tech Talks are weekly sessions where we bring in subject matter experts for short, highly focused educational segments, followed by up to an hour of open Q&A where Agile IT clients can discuss their own environments with our engineers and a group of peers. While we release the demos and sessions on our blog, the Q&A benefit is only available to Agile IT Managed Service and Cloud Service Customers. Agile IT is a four time cloud partner of the year and offers fully managed security as a service. To find out more, schedule a free call with a cloud service advisor.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Screen Capture Protection in Windows 365 | Boost Security

How to Enable Screen Capture Protection in Windows 365 for Enhanced Security

Learn how to enable and use screen capture protection in Windows 365 to secure sensitive information and prevent unauthorized captures, enhancing your organization's data security.

Jan 21, 2025
7 min read
Office 365 Collaboration Tools

Office 365 Collaboration Tools: Are They Right for Your Organization?

Explore how Office 365's collaboration tools can enhance your organization's productivity and security.

Jan 12, 2025
6 min read
NIST 800 171 vs NIST 800 53

NSA Cybersecurity Collaboration: No-Cost Services Available to DoD Contractors

Learn how NSA cybersecurity collaboration provides no-cost services to DoD contractors, helping enhance security and compliance with advanced cyber protections.

Jan 10, 2025
6 min read
When is a New CMMC Assessment Needed

Understanding When and Why You Need a New CMMC Assessment

Learn when to schedule a new CMMC assessment, what triggers reassessments, and how changes in scope, contracts, or compliance impact your certification process.

Jan 6, 2025
9 min read
How Does VDI Solve the CUI and CMMC Conundrum?

How Does VDI Solve the CUI and CMMC Conundrum?

Explore how VDI for CUI helps businesses meet compliance requirements, ensuring secure data access while simplifying CMMC certification.

Dec 30, 2024
9 min read
Disaster Recovery Plan Enough

Is your disaster recovery plan enough?

Strengthen your Office 365 disaster recovery plan with granular backup, retention policies, and solutions to prevent data loss.

Dec 18, 2024
7 min read

Ready to Defend and Secure Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Defend. Secure. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Defend. Secure. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation