Role Claims when Federating Azure AD

2
votes

We want to create a MVC web application using claims-based authentication, expecting roles as one of the claims. We want to Federate authentication providers using the Azure Access Control Service to manage this federation. One of the authentication providers is our Azure AD.

The problem is that Azure AD doesn't seem to be able to generate role (or even group) claims. What is the appropriate method to manage group or role access in Azure AD and have role claims served by Azure Access Control Service.

Thanks.

Edit:

A previous comment asked for details: We want to provide access to our cloud application to 3rd parties using their active directory (to simplify user management for them). Our application has a few levels of access to information that the 3rd parties can configure. We were hoping they could do this in their AD (based on our instructions). Groups seemed like the obvious choice, but if there is another way that works, as long as we can provide instructions, it'll work.

We want our application to get claims for a user's level of access. If we had only one partner that was using Azure AD, we could use the graph API against that endpoint, but with multiple partners changing over time, we wanted to federate them so our application only needs to trust the federation server. We were assuming that we needed Azure ACS to manage the federation.

3
azurewifazure-active-directoryazure-acs
Obligatory reminder that ACS has been deprecatedBenV
Thanks, didn't know that. If our application is expecting to consume claims from the STS including roles, we need to us ACS (or be resigned to using the non-standards compliant Graph API), correct? But, and I guess going back to the original question, how do you make the Azure AD play nice in any part of this chain?No One

3 Answers

1
votes

AAD does support roles / groups and you can administer them from the Azure Portal.

Howeve, these are not passed in the "canned" set of claims.

You need to use the Graph API and then convert them e.g. Windows Azure Active Directory: Converting group memberships to role claims.

Update:

ACS requires something to federate with. You can't hook a customer AD up to ACS - you need something like ADFS on top of their AD.

I assume your cloud app. runs in Azure?

Then make your app. multi-tenanted. If your customers have their own Azure tenant, it will work. You just need to add the Graph API code to your app. ACS is not required.

Your customers then run DirSync. This keeps their Azure tenant in sync. with their AD changes.

So two options:

  • Customer does not have Azure tenant. They install ADFS and federate with AAD.

  • Customer's who do have Azure tenant use DirSync.

1
votes

Good news: we have recently turned on the Application Roles and Groups Claim features in Azure AD.

Get a quick overview here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx

Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/

Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/

Hope that helps.

0
votes

Groups aren't the best choice because they are unique within each directory. Unless you get your customers to define a set of groups that have well-known names and match against the strings, that is (the object IDs of a group is different per directory even if they have the same name). I'm actually from the Azure AD team and we are seriously considering releasing a feature to allow you to define roles in your app that your customers can assign their users to. Please stay tuned on this. In the meantime, unfortunately groups are the only way to go. You would have to call "GetMemberGroups" using the Graph to retrieve the groups that the user is assigned to.

What are your timelines for releasing this application? You can contact me directly to see if we can work with your scenario.