2

I'm looking for solutions that could best address the following requirements.

  • We plan to develop a webapp and deploy it in the cloud.
  • Corporate users must be able to access the webapp from the enterprise network, where they're already connected to a corporate Active Directory, with an SSO mechanism (e.g. SAML, OAuth/OpenID Connect, WS-Fed, etc.). This is the "easy" part, as ADFS provides solutions for this.
  • Here is where it gets less obvious: The same users can be on the road, and still be able to connect to the same webapp.
  • When they're on the road, though, SSO is not mandatory: they could connect with other login credentials (e.g. via the webapp's own userid/password management system, or through a third-party identity provider). If there are solutions where they still could use their AD credentials from the outside of the company, this should be of course considered.
  • In any case, a user should get her/his same preferences, personal data, etc. in the webapp, independently of the way s/he logs in (i.e. from inside the company or when on the road)
  • If a user is de-provisioned from the AD, s/he must not be able to connect using the webapp's own login system or third-party identity provider. Same thing if her/his group memberships change: it must be taken into account in the webapp, whatever the login option used.

I understand there are many possible solutions (VPN connection, using Azure AD, etc.), but what would be the one(s) with the best combination of impacts on the present infrastructure, cost, user-friendliness, security, and availability?

Thanks!

Aleph
  • 21
  • 2
  • I'm wondering why would you use ADFS for internal application with internal AD? You could use SSPI with standard 401 challenge to get SSO (Windows Authentication) for all domain joined users and machines and a user prompt if this is not possible. I'm asking because you might use the same solution for external access with some configuration and architecture design. I can update my answer below with details. – Marko Vodopija Apr 14 '17 at 07:50
  • We intend to deploy the application in the cloud: would SSPI work? – Aleph Apr 15 '17 at 13:57
  • For SSPI to work, host needs to be domain joined. – Marko Vodopija Apr 16 '17 at 12:21

2 Answers2

0

Sounds like a job for Azure AD Connect, then your app can authenticate against Azure AD regardless of where the user is (interal/external to the company's lan). As long as they can reach your app they'd be able to log in with their credentials.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect

chubbsondubs
  • 205
  • 1
  • 7
0

If your users are using company supplied (domain joined) laptops when they are on the road, one option to consider besides Azure AD is Direct Access. This solution will provide exactly the same user convenience as if they were inside your network while maintaining minimal impact on your architecture (you will not be publishing the app to the Internet directly). A thing to consider with this solution is it would only work for domain joined computers. Any other device including phones and tablets will not be able to access the application.

Marko Vodopija
  • 1,062
  • 1
  • 8
  • 19