I’ve made progress setting up Single Sign-On (SSO) by allowing users to log in with their Microsoft accounts through Azure AD in my ASP.NET web application (.aspx).
Now, my client wants me to use their Corporate Active Directory, where all user data is stored, for authentication and SSO using LDAP.
I’m aware of options like SAML and LDAP, but I’m unsure if I still need Azure AD in the picture for SSO when I’m using the Corporate AD.
I’ve done some initial research and completed steps like registering the application with Azure AD. However, I’m stuck and need guidance. Should I keep Azure AD for SSO in this setup? Can someone provide a step-by-step guide or direct me to relevant documentation for this scenario? Your assistance would be highly appreciated.
2
Answers
Azure AD is not a replacement for Active Directory. Yes, still need it and you should sync on premises credentials to your Azure AD through Azure ADFS:
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
While Azure AD and Active Directory are both identity management systems, they are totally incompatible with each other. Yes, it is very confusing and probably why MS usually refers to Active Directory as "AD DS" and certainly why MS recently renamed Azure AD to "Microsoft Entra ID".
Realize that in MS these days, there are two camps: cloud and on-premises. And if it’s not cloud, it’s referred to as "legacy" (which was dumb in light of the fact that on-premises sales are still going up and people are not gleefully jumping into cloud as much).
Also, it is not possible to use LDAP to implement SSO. Contrary to popular belief, LDAP is not an authentication protocol. It is a database service. Some people have used authenticating with the LDAP service as a sort of proxy for authentication (if the bind succeeds, the credentials must be right). But that was always a hack. And realize that that uses plain text credentials. Even if an IdP uses TLS to LDAP, plaintext credentials still exist on the IdP (albeit briefly).
If the customer wants pure old-fashioned on-premises SSO, you will have to either bridge AD DS and Azure using Azure AD Connect or whatever the prevailing method is today.
Or, for truely password free SSO (no logging into an IdP) you can use SPNEGO, Kerberos, NTLM. This is an underrated option IMO. If you’re using IIS, it can be as simple as tweaking your IIS config. No IdP necessary.