Web application authenticating ADFS connected to Azure AD with the OAuth 2.0 authorization flow

1
votes

I must preface by stating that I am not an expert in Microsoft AD, Azure AD, and Office 365. I've read scores of Microsoft documentation, support and Stackoverflow posts and have not been able to find an answer to this specific question.

I have a web application that has an option for users "Sign in with Office365". This was implemented using Microsoft's ADAL library and the OAuth 2.0 authorization flow.

I have a customer who uses ADFS and Azure Active Directory together (Federated Identity in this document). They are federating their user's sign-ins with AD FS which delegates authentication to an on-premise server that validates user credentials which in turn allows their users to access Office365 and other cloud services.

Their on-premise AD syncs with Azure AD and does not sync passwords.

My question is two fold:

1) Will the standard implementation of OAuth 2.0 authorization flow work support this setup? Will Azure AD know to go to ADFS to do the authentication?

2) Is it possible to leverage Azure AD and the OAuth 2.0 authorization flow as an IDP proxy to ADFS?

1
azureazure-active-directoryadfsadal

1 Answers

1
votes

1) Will the standard implementation of OAuth 2.0 authorization flow work support this setup? Will Azure AD know to go to ADFS to do the authentication?

Yes this works very well, as long as you have setup the federation with a verified custom domain using Azure AD Connect (Federated Identity in this document). I have live examples of it with a web application that uses OAuth 2.0 Authorization flow (without requiring anything special from web application code/configuration standpoint).

Flow is that you go to the Microsoft login page first > on selecting the work/school account and specifying user name > you get the ADFS login page > after entering credentials here, it continues just like a normal Azure AD account would.

2) Is it possible to leverage Azure AD and the OAuth 2.0 authorization flow as an IDP proxy to ADFS?

In a way yes. Although it's not a regular Federation trust setup with certificates being exchanged, as you have to use AzureAD connect instead, like you mentioned in the link above (Federated Identity in this document).