Single Sign On Single Sign on removes the worry of memorizing and writing down passwords. If a user has signed in once, there is no need for the user to enter their username or password again. Auth x ensures the user’s identity when logging in, and the user is given access to all their applications.
- What is single sign-on? Single sign-on (SSO) is a secure solution that provides employees access to company apps and websites by asking them to sign in just once a day, using one username and password. When you sign in to a website through Facebook or Google, you’re using a type of SSO.
- Tip: You are able to use the same Standard ID and password on all sites that bear the Single Sign-On logo.
Azure AD application gallery contains thousands of applications already but there can be situations where organizations uses their own applications. In such scenario Azure AD allows to bring these apps to azure.
In my previous blog post “Step-by-Step guide to Azure AD Password-based single-sign on”, I explained Azure AD password-based single-sign on and how we can use it. If you not read it yet, you can access it using https://www.rebeladmin.com/2018/09/step-step-guide-azure-ad-password-based-single-sign/ . In this blog post, I am going to demonstrate how we can bring our own app to Azure AD and use Password-based single-sign on with it.
In my demo environment I have cloud app called Woodgrove Expense Manager and I can access it using https://woodgroveexpensemanager.azurewebsites.net I need my sales and marketing team to use it. Also, I need them to share one login. However, I do not want end user to know these credentials.
As first part of this demo, I need to integrate my app with Azure AD. To do that,
1.Log in to https://portal.azure.com as global admin.
2.Click on Azure Active Directory on the left-hand panel.
3.Then click on Enterprise applications
4.In new window, click on + New application
5.In application panel, click on Non-gallery application
6.Then in new wizard, type name for app and click on Add
7.In new app window, click on Single sign-on
8.Then select password-based single sign-on as SSO mode. Under sign-on URL define the application URL. in my demo it is https://woodgroveexpensemanager.azurewebsites.net . at last click on Save to apply the changes.
9.Once settings are saved, click on Configure Woodgrove Expense Manager Password Single Sign-on Settings
10.In new window, select Manually detect sign-in fields and then capture sign in fields.
11.This will load up new tab with application page. Type the sign in details and then click on sign-in.
12.Then in app window it asks if we want to save captured login details. Click on Ok to capture data.
13.After that, it will go back to sign-on page, in this page click on Ok, I was able to sign-in to the app successfully and then Ok to save the config.
14.Once configuration is saved, click on user & groups.
15.Then click on Add user
16.From the list of user & groups, I have selected group for my sales & marketing team. Once selection is done, click on Assign credentials.
17.In new window Set Assign credentials to be shared among all group members to Yes and type credentials for the https://woodgroveexpensemanager.azurewebsites.net . To complete the process, click on Ok & then Assign
18.This completes the configuration part. Next step is to test it. for that I am log in to https://myapps.microsoft.com as a user from sales & marketing group. Then click on Woodgrove Expense Manager
19.As expected, without any other additional logins, it log me in to the Woodgrove Expense Manager. cool ha?
This marks the end of this blog post. Hope now you have better understanding how to bring your own app to Azure AD and use password-based single sign-on with it. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.
-->In the quickstart series on application management, you learned how to use Azure AD as the Identity Provider (IdP) for an application. In the quickstart guide, you configure SAML-based or OIDC-based SSO. Another option is password-based SSO. This article goes into more detail about the password-based SSO option.
This option is available for any website with an HTML sign-in page. Password-based SSO is also known as password vaulting. Password-based SSO enables you to manage user access and passwords to web applications that don't support identity federation. It's also useful where several users need to share a single account, such as to your organization's social media app accounts.
Password-based SSO is a great way to get started integrating applications into Azure AD quickly, and allows you to:
1password Single Sign On Login
Enable single sign-on for your users by securely storing and replaying usernames and passwords
Support applications that require multiple sign-in fields for applications that require more than just username and password fields to sign in
Customize the labels of the username and password fields your users see on My Apps when they enter their credentials
Allow your users to provide their own usernames and passwords for any existing application accounts they're typing in manually.
Allow a member of the business group to specify the usernames and passwords assigned to a user by using the Self-Service Application Access feature
Allow an administrator to specify a username and password to be used by individuals or groups when they sign in to the application with the Update Credentials feature
Before you begin
Using Azure AD as your Identity Provider (IdP) and configuring single sign-on (SSO) can be simple or complex depending on the application being used. Some applications can be configured with just a few actions. Others require in-depth configuration. To ramp knowledge quickly, walk through the quickstart series on application management. If the application you're adding is simple, then you probably don't need to read this article. If the application you're adding requires custom configuration and you need to use password-based SSO, then this article is for you.
Important
There are some scenarios where the Single sign-on option will not be in the navigation for an application in Enterprise applications.
If the application was registered using App registrations then the single sign-on capability is configured to use OIDC OAuth by default. In this case, the Single sign-on option won't show in the navigation under Enterprise applications. When you use App registrations to add your custom app, you configure options in the manifest file. To learn more about the manifest file, see Azure Active Directory app manifest. To learn more about SSO standards, see Authentication and authorization using Microsoft identity platform.
Other scenarios where Single sign-on will be missing from the navigation include when an application is hosted in another tenant or if your account does not have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal). Permissions can also cause a scenario where you can open Single sign-on but won't be able to save. To learn more about Azure AD administrative roles, see (https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles).
1password Sign In To Chrome
Basic configuration
In the quickstart series, you learned how to add an app to your tenant, which lets Azure AD knows it's being used as the Identity Provider (IdP) for the app. Some apps are already pre-configured and they show in the Azure AD gallery. Other apps are not in the gallery and you have to create a generic app and configure it manually. Depending on the app, the password-based SSO option might not be available. If you don't see the Password-based option list on the single sign-on page for the app, then it is not available.
Important
The My Apps browser extension is required for password-based SSO. To learn more, see Plan a My Apps deployment.
The configuration page for password-based SSO is simple. It includes only the URL of the sign-on page that the app uses. This string must be the page that includes the username input field.
After you enter the URL, select Save. Azure AD parses the HTML of the sign-in page for username and password input fields. If the attempt succeeds, you're done.
Your next step is to Assign users or groups to the application. After you've assigned users and groups, you can provide credentials to be used for a user when they sign in to the application. Select Users and groups, select the checkbox for the user's or group's row, and then select Update Credentials. Finally, enter the username and password to be used for the user or group. If you don't, users will be prompted to enter the credentials themselves upon launch.
Manual configuration
If Azure AD's parsing attempt fails, you can configure sign-on manually.
Under <application name> Configuration, select Configure <application name> Password Single Sign-on Settings to display the Configure sign-on page.
Select Manually detect sign-in fields. Additional instructions describing the manual detection of sign-in fields appear.
Select Capture sign-in fields. A capture status page opens in a new tab, showing the message metadata capture is currently in progress.
If the My Apps Extension Required box appears in a new tab, select Install Now to install the My Apps Secure Sign-in Extension browser extension. (The browser extension requires Microsoft Edge, Chrome, or Firefox.) Then install, launch, and enable the extension, and refresh the capture status page.
The browser extension then opens another tab that displays the entered URL.
In the tab with the entered URL, go through the sign-in process. Fill in the username and password fields, and try to sign in. (You don't have to provide the correct password.)
A prompt asks you to save the captured sign-in fields.
Select OK. The browser extension updates the capture status page with the message Metadata has been updated for the application. The browser tab closes.
In the Azure AD Configure sign-on page, select Ok, I was able to sign-in to the app successfully.
Select OK.
Next steps