3

I am trying to make my way through a lot of Azure documentation on multitenant identity management, for a bespoke ASP.NET MVC SaaS site. It is difficult as it seems that a lot of the online examples and articles are now outdated and not applicable to latest VS templates, and other vague aspects, such as determining what is Preview and what is not. Also, MS tend to use the word "multitenant" when specifically dealing with partner companies who have their own Azure AD, which is not our case.

Our proposed system will offer a web application to different customers. The backend will have a separate db per customer (tenant). The front end will select which db connection (and probably use impersonation) depending on the logged in user. The identity management would preferably be offloaded to Azure ACS, so that in future if we want to integrate with corporations with their own Federation identity provider we can, but for those smaller companies that don't have their own domain, we want to create accounts on their behalf.

I am thinking that a good way to do this is by using Azure ACS (for federating with corporate customers) and a general Azure AD directory (for everyone else), where in the second case I create a group per tenant (customer). Then, in Azure ACS, I translate all claims, either the group from my own AD, or the company name from the federated identity provider, and use that in the MVC app to establish the tenant.

Is this an OK way to do it? Am I overlooking some standard, simple way that Azure already offers? Is this future proof wrt to the Azure roadmap?

Sentinel
  • 3,582
  • 1
  • 30
  • 44
  • Instead of ACS, I would suggest you look at Azure AD B2C: http://blogs.technet.com/b/ad/archive/2015/09/16/azure-ad-b2c-and-b2b-are-now-in-public-preview.aspx. – Gaurav Mantri Sep 23 '15 at 16:00
  • Thanks but is Azure AD b2C really apt for a multi-tenant B2B platform? (we estimate in 10s to 100s users per customer) – Sentinel Sep 23 '15 at 19:29
  • @Sentinel I know this question is getting a bit old, but I find myself in the exact same type of situation as you did. Any tips on how your actual implementation has gone, given the migration to Azure AD and AD B2C preview? Perhaps add your experiences as an answer? – Joshua Apr 19 '16 at 14:58

1 Answers1

3

for the latest multi tenant samples please see https://github.com/Azure-samples?utf8=%E2%9C%93&query=multiten. We are about to release more documentation on how to handle multi tenancy in Azure AD. I would strongly advise against using ACS in any new project, given that we are no longer adding any features and we are actively working on migrating functionality from ACS to Azure AD. See http://blogs.technet.com/b/ad/archive/2015/02/12/the-future-of-azure-acs-is-azure-active-directory.aspx for more details.

vibronet
  • 7,364
  • 2
  • 19
  • 21
  • Thank you. Any clues when these docs and recommendations will come available? – Sentinel Sep 23 '15 at 19:31
  • I am meeting with the writer tomorrow. However the links I provided in the answer are already representative of the guidance - the article will simply provide a descriptive track on top of it. You should not block on that. If while studying the samples you don't understand something, feel free to hit us on SO – vibronet Sep 23 '15 at 19:52
  • Thanks very much vibronet, I think this points me roughly in the right direction. I see the federation between AAD and other identity providers is in the roadmap here http://blogs.technet.com/b/ad/archive/2015/02/12/the-future-of-azure-acs-is-azure-active-directory.aspx – Sentinel Sep 24 '15 at 07:30
  • @vibronet broken link. (http://blogs.technet.com/b/ad/archive/2015/02/12/the-future-of-azure-acs-is-azure-active-directory.aspx) – Balagurunathan Marimuthu May 28 '20 at 05:42