SaaS product with on-prem AD integration

Question

I have a SaaS product, it has it's own cloud-based authentication, and it is hosted in Azure. This works for most of my customers, but supposing a customer has their own on-prem AD - is it possible my SaaS product (cloud-hosted, external to the customer's network) can swap out my own authentication for the AD? What technologies/APIs are available to me for this?

Further Context

This is a vue app (client-side) with a .Net back-end (.Net core API in Azure).

I'm currently using okta, I pass okta data from a login form, and it returns a token.

If I could do a straight swap with okta for AD instead and call off to the client's AD server and receive a token (on successful authentication) and then pass that token as part of every request as I do with okta, that would be ideal.

What I've Tried

I know Okta itself has options for single-sign-on with AD, but I don't see the need for Okta if it's only going to be used as a way of interfacing to my customer's AD server, I'd like to just go 'straight there' instead.

Does the client also sync their on prem AD to Azure AD or is it only on prem? — vvvv4d, Sep 03 '20 at 03:24
Authenticating against AD from .NET is [fairly straightforward](https://stackoverflow.com/questions/53707820/how-to-use-active-directory-authentication-in-asp-net-core). Yes, your app will have to change if you want to go 'straight there' but you seem to be willing to take that hit. — identigral, Sep 04 '20 at 23:59
...and of course, to go 'straight there' you'll need connectivity between your app deployed on Azure and on-premises AD. Lots of options there. [Hybrid](https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections) connections or [site-to-site connectivity with Functions](https://stackoverflow.com/questions/45095674/how-to-azure-function-configure-for-site-to-site-connectivity) are possible. Despite documentation disclaimer to the contrary, Hybrid connection will work if you use LDAP over TCP which implies avoiding queries on root DSE in AD. — identigral, Sep 07 '20 at 23:15

Sathiamoorthy · Answer 1 · 2020-09-07T15:01:13.563

0

Okta is not required to do Azure AD authentication. I have successfully completed azure ad single sign-on authentication using MSAL in Angular and Python.

Go to your portal.azure.com -> Azure Active Directory -> APP Registration -> Select you app -> Quick Start -> Select programming language -> Click download the source code.

To understand the code, use this link https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-angular

As you mentioned. you have used on-premise code, use the same code for authentication, this below tutorial explains how to do authentication

https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa

edited Sep 07 '20 at 15:01

answered Sep 07 '20 at 12:51

Sathiamoorthy

8,831
9
65
77

They want to authenticate against an *on premise* Active Directory, not *Azure* Active Directory. – Alex AIT Sep 07 '20 at 13:49
On-premise also using the same azure, so the code won't change apart configuration. - Updated the code – Sathiamoorthy Sep 07 '20 at 14:08

SaaS product with on-prem AD integration

Further Context

What I've Tried

1 Answers1