Back

Setting up Single Sign-On (SSO) in Azure AD (VIDEO)

Setting up SSO in Azure Active DirectorySSO in Azure active directory is the perfect balance of convenience and security Enabling it remove...

4 min read
Published on Nov 2, 2018
Setting up Single Sign-On (SSO) in Azure AD (VIDEO)

Setting up SSO in Azure Active Directory

SSO in Azure active directory is the perfect balance of convenience and security. Enabling it removes an attack surface, since your employees do not need to remember extra passwords, while their daily routine is streamlined, as they are seamlessly logged into their applications.

Why Use SSO?

  • Simplicity - Provides a seamless experience for your employees, faster access to their applications, and ends password fatigue.
  • Security - No more weak or duplicated password, single point of control, a unique and secure identity.
  • Compliance - Helps admins increase control over the data users have access to and aids in HIPAA, SOX and NIST compliance.

How Single Sign On Works - DiagramHow Single Sign-On Works:

Instead of using a username / password combination, SSO uses a central trusted source of authentication to provide tokens that give access to other applications.

  1. User tries to log into an application from their browser.
  2. The application generates a SAML request and sends it to the user’s browser.
  3. The user’s browser sends the request to the identity provider.
  4. The identity provider authenticates the user.
  5. The identity provider generates a SAML response (token) and sends it back to the user’s browser.
  6. Browser sends token to the application.
  7. The application verifies the tokenized credential and grants access.

 

Authentication Scenarios of SSO Applications?

  • 1.None

    • Essentially mandating the use of shared passwords on apps.

    2.Per User Password Extension/Addon (LastPass, Roboform, native browser)

    • Typical – User has combination of personal and work passwords.

    3.Enterprise Password Extension/Add-on (Centralized management)

    • Can assign credtials to user or groups
    • Allows changing of shared account credential to happen rapidly

    4.SAML or Native Azure AD/Office 365 authentication

    • Note – Only option that can stop sign-on of app when user is disabled in Azure AD.

Portal Scenarios

  1. None – Users get invites to apps in their email
  2. Intranet Webpage – Catalog of links on a singe page, or broken down in department (if lucky).
  3. Enterprise Portal – Users see ONLY web apps that they have access to.
  4. Unified Portal – Users see web apps, intranet apps (proxied internally, authenticated first in cloud), and Remote Desktop apps on one unified portal.

Provisioning Scenarios of SSO

  1. Manually – Create user in App on onboarding.  Delete user on offboarding.
  2. SAML Add - Apps that provision user on first logon (if configured in app) will take the first/last name in the SAML request and use that to provision a new account.
    1. Note 1 - This is rarely with app vendors, so not a typical scenario.
    2. Note 2 - While user can’t logon, their account still exists in the app isolated admin portal. Per user fees charged.
  3. SCIM – Provisioning and De-provisioning (user account deleted from app after 30 days of being deleted on Azure AD).
    1. Note - Only about 20 vendors currently supporting (Salesforce, G Suite, Docusign, etc).

The Admin Experience

  • Fast to onboard and offboard users.
  • Time spent configuring SSO with vendors is saved during user tasks.
  • Vastly improved security, compliance and monitoring. (see previous Tech Talks from Matt Soseman and Kevin Martins)
  • Auto provisioning with SCIM (Simple Cloud Identity Management)

The SSO Demo

(Skip to Video)

  1. Agile IT End User Experience
  2. MyApps Enterprise App portal settings in Azure
  3. Tour of App Examples in Azure:
    1. Individual Passwords End User Experience (Zapier)
    2. Shared Passwords distributed to group (No end user demo)
    3. SAML Logon (Bonusly)
    4. SAML Logon (Expensify) – Not all app vendors properly support “SSO”.  It’s more like 1.5 vs single (1) sign on.
    5. SAML + SCIM (Docusign)
    6. Internal Application Proxy (PRTG)

About Agile IT Tech Talks

Agile IT Tech Talks are weekly sessions where we bring in subject matter experts for short, highly focused educational segments, followed by up to an hour of open Q&A where Agile IT clients can discuss their own environments with our engineers and a group of peers. While we release the demos and sessions on our blog, the Q&A benefit is only available to Agile IT Managed Service and Cloud Service Customers. Agile IT is a four time cloud partner of the year and offers fully managed security as a service. To find out more, schedule a free call with a cloud service advisor.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

How MSPs, RPOs, and C3PAOs Help Organizations Achieve CMMC Compliance

How MSPs Help Organizations Achieve CMMC Compliance

MSPs, RPOs, and C3PAOs play a crucial role in CMMC compliance. Learn how to choose the right consultant, third-party auditor, or provider to meet CMMC certification requirements.

May 20, 2025
8 min read
CMMC Compliance Requirements for Level 1 Level 2 and Level 3

CMMC Compliance Requirements for Level 1 Level 2 and Level 3

CMMC certification requires different cybersecurity controls at each level. Learn the key requirements for Level 1, Level 2, and Level 3 compliance and how they align with NIST 800-171.

May 16, 2025
5 min read
Common Questions About Azure Migration Answered

Common Questions About Azure Migration Answered

Get answers to the most common Azure migration questions. Learn about costs, best practices, security, compliance, and troubleshooting cloud migration challenges.

Apr 29, 2025
3 min read
AVD vs W365 in GCC high reducing your CMMC scope

AVD vs W365 in GCC High Reducing Your CMMC Scope and Simplifying Compliance

Comparing AVD vs W365 for GCC High? Learn how each can reduce your CMMC assessment scope and simplify security and compliance management in government environments.

Apr 28, 2025
7 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

Implementing Cybersecurity Policies for CMMC Compliance and Managing CUI

CMMC compliance requires well-documented cybersecurity policies. Learn how to implement security controls, create an SSP and POA&M, and manage Controlled Unclassified Information (CUI).

Apr 25, 2025
7 min read
CMMC compliance for DoD contractors

CMMC Compliance Requirements for DoD Contractors and Subcontractors in the Defense Industry

CMMC compliance is mandatory for DoD contractors and subcontractors. Learn about certification levels, requirements, and the consequences of failing to meet compliance.

Apr 24, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation