2

I've got an existing MVC5 application that uses Forms authentication. Half of my users are internal employees that also exist in Azure AD. I'd like to give them the option to authenticate against AD but I don't want the other half to have to go through AD. All of the examples I've seen of using Azure AD authentication seems like an all or nothing thing.

Can't I just add a button to my login form for the AD users to go to the Azure login and get redirected back with a token? My other option is if they are an Azure user, take their email/password from my login form and try to connect to AD with it. This seems like a risk as I'll have exposure to their actual network credentials.

AndyMcKenna
  • 2,607
  • 3
  • 26
  • 35
  • Salesforce seems to be doing exactly what I want so it seems like I just need to recreate this flow in my app: https://developer.salesforce.com/page/Login_with_Azure_AD – AndyMcKenna Aug 17 '16 at 15:03
  • Just Add A new button "Login As Azure", what is your real problem? – cuongle Aug 17 '16 at 15:06
  • My problem was not understanding the flow for that. Most of the examples were for just using Azure AD authentication entirely instead of Forms. – AndyMcKenna Aug 26 '16 at 13:35

1 Answers1

3

I haven't completed it yet but I've gotten far enough in that this feels like the solution to me. I'm going to add a link to my login page for Azure AD users that points to the AD OpenID url as defined here:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-openid-connect-code/

The id_token that I get back identifies the user after it's unpacked as detailed here:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-tokens/#validating-tokens

AndyMcKenna
  • 2,607
  • 3
  • 26
  • 35