{"id":646,"date":"2024-04-22T20:00:05","date_gmt":"2024-04-22T18:00:05","guid":{"rendered":"https:\/\/sparrow365.de\/?p=646"},"modified":"2024-11-04T20:20:49","modified_gmt":"2024-11-04T19:20:49","slug":"all-roads-to-entra-id-sso","status":"publish","type":"post","link":"https:\/\/sparrow365.de\/index.php\/en\/2024\/04\/22\/all-roads-to-entra-id-sso\/","title":{"rendered":"All Roads to Entra ID SSO"},"content":{"rendered":"<p>When I started learning Entra ID (then still Azure AD), my <strong>biggest challenge<\/strong> \u2014 aside from the seemingly endless products renamings in M365\/Azure \u2014 was that &quot;SSO&quot; (= <strong>Single Sign-On<\/strong>) has almost become a buzzword.<\/p>\n<p>If you are currently looking for ways to <strong>standardize ldentities<\/strong> and less frequently interrupt a users work for logins, you are bombarded with <strong>fundamentally different technologies<\/strong> that are <strong>difficult to distinguish<\/strong> at first glance. So, I made it my task to collect all the core concepts and present when they are needed.<\/p>\n<p>From here, one can then dive further into the documentation and other articles to implement what is necessary, which details need to be considered, etc.<\/p>\n<blockquote>\n<p>My definition of SSO requires not only use of the same user information but more importantly, that a user <em>has to log in only once<\/em> and then gains access to other applications without further interaction.<\/p>\n<p>Also outside the scope: Virtual Desktop Infrastructure (VDI), as the capabilities vary greatly depending on the provider. For instance, <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/virtual-desktop\/configure-single-sign-on\">Azure Virtual Desktop<\/a> and <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-365\/enterprise\/configure-single-sign-on\">Windows 365<\/a> support Entra ID SSO, while <a href=\"https:\/\/updates.cloud.com\/details\/sso-for-azure-ad-joined-virtual-desktops-(without-fas)-hdx51158\/\">a solution is on the roadmap for Citrix<\/a>.<\/p>\n<\/blockquote>\n<p><br class=\"\"><\/p>\n<h2>Clientside<\/h2>\n<p>Once I have logged into Entra ID, my device must have the capability to share this login <strong>with other applications<\/strong>. Under Windows, this is built directly into the operating system. Probably unsurprisingly, <strong>other manufacturers<\/strong> have less interest in supporting Microsoft mechanisms by default.<\/p>\n<blockquote>\n<p>The login usually takes the form of PRTs, more details:<\/p>\n<ul>\n<li><a href=\"https:\/\/blog.skymadesimple.io\/what-is-a-primary-refresh-token\/\">(Primary) Refresh Token, Access Token<\/a> by <a href=\"https:\/\/blog.skymadesimple.io\/author\/jonas\/\">Jonas B\u00f8gvad<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<h3>Android<\/h3>\n<p>Entra ID authentication is based on web protocols, with <strong>session information stored in the web browser<\/strong>. Without using a common browser, SSO between different applications <strong>would not be possible<\/strong>. Ideally, apps should use the operating system&#8217;s standard browser, but this is often not the case.<\/p>\n<p>To solve this problem, the Intune Company Portal and Microsoft Authenticator can serve as &quot;<strong>broker apps<\/strong>&quot;, or intermediaries. They store the current <strong>login sessions<\/strong> of a user and enable <strong>sharing these between applications<\/strong>. Unfortunately, these features are not part of the operating system itself, requiring applications to be able to communicate with these brokers. This is typically achieved using the <strong>Microsoft Authentication Library (MSAL)<\/strong>. MSAL facilitates the implementation of authentication protocols for developers and also integrates Microsoft&#8217;s broker applications by default.<\/p>\n<blockquote>\n<p><em>Further Reading<\/em><\/p>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/msal-android-single-sign-on#sso-through-brokered-authentication\">Microsoft documentation: More technical representation of broker applications<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/msal-net-use-brokers-with-xamarin-apps#brokered-authentication-for-android\">MS Docs: Using brokers in MSAL for developers<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<h3>Enterprise SSO for iOS und macOS<\/h3>\n<p>What applies to Android also applies to macOS and iOS\u2014with the minor difference that on iOS, only the Microsoft Authenticator can act as a broker, while on macOS, the Intune Company Portal exclusively takes on this role.<\/p>\n<p>Additionally, the <strong>broker can be integrated directly into the operating system<\/strong> \u2014 Apple provides the so-called \u201cAuthentication Services Framework\u201d in its operating systems, into which the Microsoft broker service can be integrated as a plug-in. Through appropriate configurations, authentication processes from apps that <strong>do not use MSAL<\/strong> can also be redirected to the broker, thus extending the SSO.<br \/>\nUnder macOS this includes <strong>login to the device<\/strong> through <u>Platform SSO<\/u>, similar to Hello for Business under Windows.<\/p>\n<blockquote>\n<ul>\n<li><a href=\"https:\/\/practical365.com\/configuring-enterprise-sso-in-apple-devices\/\">Practical 365: Set up Enterprise SSO via Intune<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/apple-sso-plugin\">MS Docs: Enterprise SSO plug-in<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/mem\/intune\/configuration\/platform-sso-macos\">MS Docs: Platform SSO for Device Login<\/a><\/li>\n<li><a href=\"https:\/\/developer.apple.com\/documentation\/authenticationservices\">Apple Docs: Apple Authentication Services Framework for developers<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<h3>Seamless SSO for Windows<\/h3>\n<p>I initially mentioned that the SSO mechanisms under Windows are integrated directly into the operating system. However, this integration is not entirely automatic, and this is precisely where the <strong>biggest pitfall<\/strong> lies in terms of understandability.<\/p>\n<p>Seamless SSO encompasses <strong>two aspects<\/strong>: On one hand, Microsoft uses this term to describe the authentication mechanism for devices that have <strong>exclusively joined Entra ID<\/strong> and are accessing resources in &quot;traditional&quot; Active Directory domains. At the same time, it covers the opposite scenario: login of clients that are <strong>registered only in &quot;traditional&quot; Active Directory domains<\/strong> to Entra ID-protected resources or applications.<\/p>\n<p>The implementation of <strong>Seamless SSO with Entra ID<\/strong> is particularly important at the <strong>beginning<\/strong> of an organization&#8217;s <strong>transformation towards hybrid<\/strong> infrastructure, or when <strong>terminal servers<\/strong> are present in an environment. This allows leveraging the <strong>benefits of connecting to Entra ID<\/strong> as early as possible, at least partially. For this, a computer account is integrated into the on-premises domain, which issues Kerberos tickets for Entra ID. However, it must be clear that MFA can never be included in this SSO because Kerberos <strong>does not support MFA within the protocol<\/strong> by default. Thus, one usually remains reliant on <strong>IP or device exceptions<\/strong> from MFA.<\/p>\n<p>For <strong>Seamless SSO to On-Premises<\/strong> or rather Active Directory resources, Windows itself does most of the work. When a login from a domain is requested, which is recognized as synchronized with Entra ID, <strong>Windows can present the password<\/strong> and the synchronized On-Premises username that was used when signing in to the device, <strong>without needing further user interaction<\/strong>. Those paying attention might wonder: What if Windows does not currently have my password saved? If the user hasn&#8217;t entered a password at Windows login (e.g., because they use Hello for Business), Entra ID, with appropriate configuration, <strong>issues a Kerberos ticket<\/strong> that can be used On-Premises.<\/p>\n<p>In both scenarios, <strong>Entra Connect Sync plays a central role<\/strong>: Both sides need to know which objects in Entra ID and Active Directory correspond to each other. Additionally, the Connector PowerShell Cmdlets manage the Active Directory objects and associated secrets used in the authentication process. It is also inevitable that a connection with Active Directory is necessary \u2014 so one is, unfortunately, <strong>dependent on a VPN<\/strong>. At least as long as there are still systems dependant on Active Directory \ud83d\ude09<\/p>\n<blockquote>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/sso\">MS Docs: Configuring Seamless SSO<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/howto-authentication-passwordless-security-key-on-premises\">MS Docs: Configuring Passwordless Seamless SSO zu On-Premises resources<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/devices\/device-sso-to-on-premises-resources\">MS Docs: How Seamless SSO zu On-Premises resources works<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<p><br class=\"\"><\/p>\n<h2>Application Side<\/h2>\n<p>Our device now has access to a shared login \u2014 now we need <strong>authentication consumers<\/strong>. We&#8217;ve already touched on some aspects with Android and iOS \u2014 for example, the Microsoft Authentication Library (MSAL). But what about <strong>infrastructure components and server- or web-based applications<\/strong>? Naturally, the fundamental requirement is that the application does not <strong>exclusively authenticate with a username and password from its own database<\/strong>. Such apps are usually either outdated or their development leaves something to be desired (<em>excluding apps where SSO is a paid feature<\/em>), and should be considered for replacement.<\/p>\n<h3>SAML \/ OIDC<\/h3>\n<p>The current <strong>gold standards<\/strong> of web-based authentication are SAML and OIDC. SAML is probably the most widely used, due to its age. However, OIDC is gaining momentum \u2014 especially because of ongoing development and the advantages of token-based authentication. Both standards are, of course, also <strong>supported by Entra ID<\/strong>.<\/p>\n<p>As completely open standards, it is very likely that some of the software in your arsenal <strong>already supports one of the protocols<\/strong> and would not need to interrupt the user at all to determine their identity and access rights. Not only can this improve the user experience, the use of an Identity Provider like Entra ID allows <strong>centralising management of user information and permissions<\/strong>, making life easier for administrators.<\/p>\n<p>So check if your application is perhaps already listed in the <a href=\"https:\/\/aka.ms\/AppsTutorial\"><strong>Entra ID app catalog<\/strong><\/a>. Note, not all applications that support SAML and OIDC are listed here. The Entra ID specific guides and pre-configurations do simplify implementation though.<\/p>\n<blockquote>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/architecture\/auth-oidc\">MS Docs: OpenID Connect Authentication<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/architecture\/auth-saml\">MS Docs: SAML Authentication<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<h3>Application Proxy \/ Entra Private Access<\/h3>\n<p>If the application is too old for modern protocols, not all hope is lost \u2014 common <strong>&quot;legacy&quot; authentication methods can still be integrated<\/strong>. An <strong>appropriate proxy service<\/strong> can translate the old protocols, which are not suitable for the internet, <strong>into modern ones<\/strong>. For example, with Entra ID&#8217;s &quot;<strong>Application Proxy<\/strong>&quot;, HTTP header, SAML, Kerberos (= Integrated Windows Authentication), and password-based authentication can be connected.<\/p>\n<p>It&#8217;s important that the Microsoft solution <strong>fetches requests from Entra ID<\/strong> and is never <strong>directly accessible<\/strong> on the internet.<\/p>\n<p>The same <strong>connector agent<\/strong> is also used by Microsoft&#8217;s new solution, <strong>Entra Private Access<\/strong>, which in the future will also support UDP and any TCP connections \u2014 in addition to enhanced control options. <em>Whether Microsoft will pursue the strategy of eventually discontinuing the &quot;free sample&quot; Application Proxy remains to be seen<\/em>.<\/p>\n<blockquote>\n<p>This article was written before the connector was renamed to <em>&quot;Entra private network connector&quot;<\/em> &#8211; so from Microsofts perspective it is very clear which name <em>should<\/em> be put first<\/p>\n<\/blockquote>\n<p>The translator mantle can also be donned by <strong>third-party proxy systems<\/strong> like F5 BIG-IP or Citrix NetScaler, to maintain more <strong>control over traffic and performance<\/strong>.<\/p>\n<blockquote>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/app-proxy\/application-proxy-add-on-premises-application\">MS Docs: Application Proxy Installation + Configuration<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/app-proxy\/application-proxy-network-topology\">MS Docs: App Proxy Network Topology<\/a><\/li>\n<li><a href=\"https:\/\/www.controlgap.com\/blog\/understanding-the-risks-associated-with-ntlm-authentication\">controlgap: Get rid of NTLM<\/a><\/li>\n<li><a href=\"https:\/\/support.citrix.com\/article\/CTX236593\/how-to-configure-netscaler-gateway-for-kerberos-constrained-delegation\">Citrix Documentation: NetScaler Kerberos Constrained Delegation<\/a><\/li>\n<li><a href=\"https:\/\/www.cloudcoffee.ch\/microsoft-azure\/microsoft-entra-private-access-secure-access-to-internal-resources-and-cloud-services-without-vpn\/\">cloudkaffee: Microsoft Entra Private Access<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<h3>3rd Party Identity Provider<\/h3>\n<p><strong>Existing identity providers<\/strong> (IdPs) can also be integrated \u2014 most IdPs can take on the role of Relying Party or Service Provider, effectively functioning like an <strong>application bound to Entra ID<\/strong>. Depending on the configuration and IdP, SSO sessions can be transferred seamlessly to systems that may not be directly linked to Entra ID.<\/p>\n<p>You may not be aware that you are using another IdP \u2014 <strong>middleware solutions<\/strong> like SiteMinder, installed within a web server to centralize authentication, can also be <strong>seen as IdPs<\/strong>. By connecting these, login processes optimized by Microsoft can be extended to other systems.<\/p>\n<p>Many applications also <strong>bring their own IdP<\/strong>. Shibboleth and KeyCloak are commonly used to perform the same function as MSAL \u2014 a separate provider that takes over authentication so developers do not have to implement it themselves.<\/p>\n<p>Entra ID can also be configured as the <strong>receiving component<\/strong> \u2014 <strong>authentication<\/strong> occurs through <strong>another IdP, which Entra ID then trusts<\/strong> \u2014 Microsoft refers to this arrangement as <strong>\u201cFederation\u201d<\/strong>. However, in this setup, many <strong>advantages of Entra ID authentication can be lost<\/strong>, so preferably, trust would go in the <strong>opposite direction<\/strong>.<\/p>\n<blockquote>\n<ul>\n<li><a href=\"https:\/\/developer.okta.com\/docs\/guides\/add-an-external-idp\/azure\/main\/\">Okta: Entra ID as a Connected IdP<\/a><\/li>\n<li><a href=\"https:\/\/techdocs.broadcom.com\/us\/en\/symantec-security-software\/identity-security\/siteminder\/12-52-01\/configuring\/legacy-federation\/configure-a-saml-2-0-identity-provider.html\">SiteMinder: Add a New SAML IdP<\/a>\n<ul>\n<li><em>Long-term: Migrate applications directly to Entra Auth<\/em><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/connect\/how-to-connect-fed-whatis\">MS Docs: Federation<\/a>\n<ul>\n<li><em>Typically better documented by 3rd party IdPs<\/em><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/c7solutions.com\/2024\/01\/entra-id-multi-factor-authentication-conditional-access-and-external-federation-implementation\">Brian Reid: Example Challenge Using Other IdP: Conditional Access<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<p><br class=\"\"><\/p>\n<h2>Conclusion<\/h2>\n<p>We see that a <strong>variety of technologies and configurations<\/strong> must be considered and utilized on the path to SSO. Each carries its own challenges and nuances that could fill their own articles \u2014 but at least we know the paths we can embark upon.<\/p>\n<p>I hope I was able to give some readers an idea of how the user experience can be improved or provided a little guidance for a first journey.<\/p>\n<p>Do you have thoughts on these options or know something that I might have missed? I would love to hear from you \ud83d\ude0a. Join the discussion on <a href=\"https:\/\/www.linkedin.com\/posts\/julian-sperling-4bba72228_sso-microsoftentra-intune-activity-7193341051913310208-NAOJ?utm_source=share&amp;utm_medium=member_desktop\">my associated LinkedIn post<\/a>.<\/p>\n<p>If you&#8217;re interested in the things I do, <a href=\"https:\/\/www.linkedin.com\/comm\/mynetwork\/discovery-see-all?usecase=PEOPLE_FOLLOWS&amp;followMember=julian-sperling-4bba72228\">follow me on LinkedIn<\/a>.<\/p>\n<p><br class=\"\"><\/p>\n<h2>High Resolution Diagram<\/h2>\n<blockquote>\n<p>Updated 30.04.24 to show where PRT is used (Thanks <a href=\"https:\/\/merill.net\/\">Merill Fernando<\/a>!)<\/p>\n<p>Updated 06.05.24 to include macOS Platform SSO<\/p>\n<\/blockquote>\n<p><img decoding=\"async\" src=\"https:\/\/sparrow365.de\/wp-content\/uploads\/2024\/04\/AlleWegezumSSOSparrow_AddedPlatformSSO-scaled.webp\" alt=\"HighResDiagram\" \/><\/p>\n<p xmlns:cc=\"http:\/\/creativecommons.org\/ns#\" xmlns:dct=\"http:\/\/purl.org\/dc\/terms\/\"><a property=\"dct:title\" rel=\"cc:attributionURL\" href=\"https:\/\/sparrow365.de\/wp-content\/uploads\/2024\/04\/AlleWegezumSSOSparrow_AddedPlatformSSO-scaled.webp\">All paths to Entra SSO<\/a> by <a rel=\"cc:attributionURL dct:creator\" property=\"cc:attributionName\" href=\"https:\/\/www.linkedin.com\/in\/julian-sperling-4bba72228\/\">Julian Sperling<\/a> is licensed under <a href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/4.0\/?ref=chooser-v1\" target=\"_blank\" rel=\"license noopener noreferrer\" style=\"display:inline-block;\">CC BY-SA 4.0<img decoding=\"async\" style=\"height:22px!important;margin-left:3px;vertical-align:text-bottom;\" src=\"https:\/\/mirrors.creativecommons.org\/presskit\/icons\/cc.svg?ref=chooser-v1\" alt=\"\"><img decoding=\"async\" style=\"height:22px!important;margin-left:3px;vertical-align:text-bottom;\" src=\"https:\/\/mirrors.creativecommons.org\/presskit\/icons\/by.svg?ref=chooser-v1\" alt=\"\"><img decoding=\"async\" style=\"height:22px!important;margin-left:3px;vertical-align:text-bottom;\" src=\"https:\/\/mirrors.creativecommons.org\/presskit\/icons\/sa.svg?ref=chooser-v1\" alt=\"\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When I started learning Entra ID (then still Azure AD), my biggest challenge \u2014 aside from the seemingly endless products renamings in M365\/Azure \u2014 was that &quot;SSO&quot; (= Single Sign-On) has almost become a buzzword. If you are currently looking for ways to standardize ldentities and less frequently interrupt a users work for logins, you&#8230; &raquo; <a class=\"read-more-link\" href=\"https:\/\/sparrow365.de\/index.php\/en\/2024\/04\/22\/all-roads-to-entra-id-sso\/\">weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":685,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[76],"tags":[80,82,84,88,90,199,262,260],"class_list":["post-646","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-me-id-en","tag-aad-en","tag-aad-connect-en","tag-azure-ad-en","tag-entra-en","tag-entra-id-en","tag-mfa-en","tag-single-sign-on","tag-sso"],"_links":{"self":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts\/646","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/comments?post=646"}],"version-history":[{"count":8,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts\/646\/revisions"}],"predecessor-version":[{"id":688,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts\/646\/revisions\/688"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/media\/685"}],"wp:attachment":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/media?parent=646"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/categories?post=646"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/tags?post=646"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}