Guide: SSO

What Is Azure AD Single Sign On (Azure AD SSO)?

Azure Active Directory (Azure AD) is a cloud-based identity as a service (IDaaS) solution. It is a secure online repository for user profiles and groups of user profiles. Azure AD is designed to manage access to cloud-based applications and servers using modern authentication protocols such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation.

Azure AD Single Sign-On (SSO) is an Azure AD feature that allows users to conveniently log into SaaS applications. It gives each user access to the full suite of applications they need, without needing to log into each individual application. Azure AD creates an access token that is stored locally on the employee’s device. These tokens can be configured to expire after a certain period. To further enhance security, Azure AD can also enforce multi-factor authentication (MFA).

In this article:

Azure AD SSO Example

Consider a user who wants to access a business application deployed on-premises via Azure AD. The company has both locally-deployed Microsoft Active Directory and Azure AD. It has created a hybrid setup by enabling Azure AD Seamless SSO via Azure AD Connect. 

The following diagram illustrates how SSO would work in this hybrid scenario.

Hybrid SSO authentication process:

  1. The user types the address of the business application into their browser, on a domain-joined workstation running within the company office. 
  2. The user is redirected to the Azure AD login page.
  3. The user provides a username on the Azure AD login page.
  4. Azure AD challenges the browser to provide a Kerberos ticket.
  5. The browser requests a Kerberos ticket for the computer’s local Azure AD SSO account. This account is created in Microsoft Active Directory when Azure AD Seamless SSO is configured. 
  6. Microsoft Active Directory provides the Kerberos ticket for the local Azure AD SSO account. It is encrypted with a secret belonging to the local account.
  7. The browser responds to Azure AD with the encrypted Kerberos ticket.
  8. Azure AD decrypts the Kerberos key, using a key which is shared with Azure AD when Azure AD Seamless SSO is initially configured.
  9. If the ticket is valid, Azure AD grants access and returns an authentication token to the browser.
  10. The user can now log into the business application without re-entering a password.

Related content: Read our guide to SSO authentication

Azure Single Sign-On Options

Several methods can be used to configure applications for SSO. The chosen SSO method will depend on the specific application’s authentication configuration. 

For example, a cloud application might use OAuth, OpenID Connect (OIDC), or SAML to enable authentication, with single sign-on enabled or disabled. An application hosted on-premises might use a header- or password-based authentication method, IWA SSO, or linked SSO. The on-premise options require configuring the application for Azure Application Proxy.

Various authentication protocols can support SSO in Azure AD:

  • OAuth/OpenID Connect—select the OIDC option based on OAuth 2.0 for applications that support this option. The Microsoft identity platform provides details about these options in the OpenID Connect and OAuth 2.0 protocols. Learn more in our guide to OAuth flows.
  • SAML—this is the best option for applications that don’t support OIDC/OAuth. The SSO SAML protocol provides details about this option. Learn more in our guide to SAML.
  • Password-based SSO—this option is suited to applications with HTML sign-in pages. This approach, called password vaulting, allows admins to manage users’ access permissions and passwords to web apps that don’t enable federated identities. It is useful for managing a single account shared by multiple users (e.g., a social media account). Password-based SSO enables applications requiring multiple sign-in fields, with more details than the standard username and password. The field labels are customizable. 
  • IWA SSO—use single sign-on with Integrated Windows Authentication for applications using IWA or claims-aware. 
  • Header-based SSO—choose this option for applications that use headers to authenticate. 
  • Linked SSO—select the linked SSO method for applications configured for single sign-on in a third-party identity provider. This option enables admins to configure the target location when users select an application in the organization’s portal. Admins can add links to custom web applications that already use identity federation (i.e., Active Directory Federation Services). It is also possible to add a link to a specific web page, which will appear on the user’s access panel. Admins might add links to apps that don’t require authentication. This option does not support SSO functionality using Azure AD user credentials. 
  • Disabled SSO—an admin might disable SSO if the application is not ready for SSO configuration.

See how Azure AD compares to other Single Sign-on solutions and SSO providers

How to Set Up Azure AD SSO

Here are the steps involved in setting up SSO in Azure AD.

Step 1: Set Up the Prerequisites

Several prerequisites must be in place to support SSO. Before configuring single sign-on:

Several prerequisites must be in place to support SSO. Before configuring single sign-on:

  • Set up the Azure AD Connect server.
  • Ensure Azure AD Connect supports the topology used.
  • Establish the domain administrator’s credentials.
  • Enable the “modern authentication” feature on the tenant.
  • Ensure the client is the latest Microsoft 365 version.

Step 2: Enable the SSO Feature

This step involves enabling seamless SSO via Azure AD Connect. If freshly installing Azure AD Connect, select the custom installation option. Select Enable single sign-on on the User sign-in page.

Image Source: Azure

If Azure AD Connect is already installed, go to Change user sign-in in Azure AD Connect and choose Next. The default selection is Enable single sign-on for versions 1.1.880.0 and up of Azure AD Connect. For older Azure AD Connect versions, it is necessary to select this option explicitly.

Image Source: Azure

Follow the configuration wizard to the Enable single sign-on page. Specify the domain admin credentials for every Active Directory forest that syncs to Azure AD via Azure AD Connect or requires seamless SSO. Once the wizard finishes, it will enable seamless SSO on the tenant.

Use the following steps to verify that seamless SSO is working correctly:

1. Go to the Azure AD admin center, using the global admin credentials for the tenant to sign in.

2. Choose the Azure Active Directory option on the left.

3. Choose Azure AD Connect.

4. Check the Seamless single sign-on field to ensure the feature is marked Enabled.

Image Source: Azure

Azure AD SSO with Frontegg

Frontegg can help enforcing complex SSO flows with native integration of Azure AD using SAML. While it was previously required to configure Azure AD SSO manually by using the Azure AD SAML Toolkit, Frontegg makes the whole process self-served. You’re good to go with just a few clicks. Mapping Active Directory (AD) groups and assigning them granular permissions as per your specific roles is also extremely easy. Multiple use cases? No problem. Frontegg is also multi-tenant by design. User management was never more easier.