Back

Setting up Single Sign-On (SSO) in Azure AD (VIDEO)

Setting up SSO in Azure Active DirectorySSO in Azure active directory is the perfect balance of convenience and security Enabling it remove...

4 min read
Published on Nov 2, 2018
Setting up Single Sign-On (SSO) in Azure AD (VIDEO)

Setting up SSO in Azure Active Directory

SSO in Azure active directory is the perfect balance of convenience and security. Enabling it removes an attack surface, since your employees do not need to remember extra passwords, while their daily routine is streamlined, as they are seamlessly logged into their applications.

Why Use SSO?

  • Simplicity - Provides a seamless experience for your employees, faster access to their applications, and ends password fatigue.
  • Security - No more weak or duplicated password, single point of control, a unique and secure identity.
  • Compliance - Helps admins increase control over the data users have access to and aids in HIPAA, SOX and NIST compliance.

How Single Sign On Works - DiagramHow Single Sign-On Works:

Instead of using a username / password combination, SSO uses a central trusted source of authentication to provide tokens that give access to other applications.

  1. User tries to log into an application from their browser.
  2. The application generates a SAML request and sends it to the user’s browser.
  3. The user’s browser sends the request to the identity provider.
  4. The identity provider authenticates the user.
  5. The identity provider generates a SAML response (token) and sends it back to the user’s browser.
  6. Browser sends token to the application.
  7. The application verifies the tokenized credential and grants access.

 

Authentication Scenarios of SSO Applications?

  • 1.None

    • Essentially mandating the use of shared passwords on apps.

    2.Per User Password Extension/Addon (LastPass, Roboform, native browser)

    • Typical – User has combination of personal and work passwords.

    3.Enterprise Password Extension/Add-on (Centralized management)

    • Can assign credtials to user or groups
    • Allows changing of shared account credential to happen rapidly

    4.SAML or Native Azure AD/Office 365 authentication

    • Note – Only option that can stop sign-on of app when user is disabled in Azure AD.

Portal Scenarios

  1. None – Users get invites to apps in their email
  2. Intranet Webpage – Catalog of links on a singe page, or broken down in department (if lucky).
  3. Enterprise Portal – Users see ONLY web apps that they have access to.
  4. Unified Portal – Users see web apps, intranet apps (proxied internally, authenticated first in cloud), and Remote Desktop apps on one unified portal.

Provisioning Scenarios of SSO

  1. Manually – Create user in App on onboarding.  Delete user on offboarding.
  2. SAML Add - Apps that provision user on first logon (if configured in app) will take the first/last name in the SAML request and use that to provision a new account.
    1. Note 1 - This is rarely with app vendors, so not a typical scenario.
    2. Note 2 - While user can’t logon, their account still exists in the app isolated admin portal. Per user fees charged.
  3. SCIM – Provisioning and De-provisioning (user account deleted from app after 30 days of being deleted on Azure AD).
    1. Note - Only about 20 vendors currently supporting (Salesforce, G Suite, Docusign, etc).

The Admin Experience

  • Fast to onboard and offboard users.
  • Time spent configuring SSO with vendors is saved during user tasks.
  • Vastly improved security, compliance and monitoring. (see previous Tech Talks from Matt Soseman and Kevin Martins)
  • Auto provisioning with SCIM (Simple Cloud Identity Management)

The SSO Demo

(Skip to Video)

  1. Agile IT End User Experience
  2. MyApps Enterprise App portal settings in Azure
  3. Tour of App Examples in Azure:
    1. Individual Passwords End User Experience (Zapier)
    2. Shared Passwords distributed to group (No end user demo)
    3. SAML Logon (Bonusly)
    4. SAML Logon (Expensify) – Not all app vendors properly support “SSO”.  It’s more like 1.5 vs single (1) sign on.
    5. SAML + SCIM (Docusign)
    6. Internal Application Proxy (PRTG)

About Agile IT Tech Talks

Agile IT Tech Talks are weekly sessions where we bring in subject matter experts for short, highly focused educational segments, followed by up to an hour of open Q&A where Agile IT clients can discuss their own environments with our engineers and a group of peers. While we release the demos and sessions on our blog, the Q&A benefit is only available to Agile IT Managed Service and Cloud Service Customers. Agile IT is a four time cloud partner of the year and offers fully managed security as a service. To find out more, schedule a free call with a cloud service advisor.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

Implementing Cybersecurity Policies for CMMC Compliance and Managing CUI

CMMC compliance requires well-documented cybersecurity policies. Learn how to implement security controls, create an SSP and POA&M, and manage Controlled Unclassified Information (CUI).

Apr 25, 2025
7 min read
CMMC compliance for DoD contractors

CMMC Compliance Requirements for DoD Contractors and Subcontractors in the Defense Industry

CMMC compliance is mandatory for DoD contractors and subcontractors. Learn about certification levels, requirements, and the consequences of failing to meet compliance.

Apr 24, 2025
6 min read
How to prepare for a CMMC compliance audit

CMMC Compliance Audit Preparation: A Complete Checklist for Small Businesses

Preparing for a CMMC compliance audit is critical for DoD contractors. Use this checklist to perform a gap analysis, assess CMMC readiness, and prepare for a Level 2 assessment.

Apr 23, 2025
8 min read
FAR CUI vs CMMC Understanding

FAR CUI vs CMMC Understanding the Differences and Overlaps

FAR CUI and CMMC both focus on protecting sensitive federal data, but they have key differences. Learn how they work together and whether FAR CUI compliance aligns with CMMC.

Apr 15, 2025
10 min read
What Is a POAM?

What Is a POAM?

Learn how a Plan of Action and Milestones (POAM) helps meet NIST 800-171 & DFARS compliance. Understand its role in FedRAMP, security categorization, and risk mitigation.

Apr 8, 2025
8 min read
Best Cybersecurity Practices for Achieving CMMC Compliance

Best Cybersecurity Practices for Achieving CMMC Compliance

Achieving CMMC cybersecurity compliance requires strong security controls. Learn best practices for securing your IT environment, protecting CUI, and implementing MFA.

Apr 7, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation