How to integrate applications with Azure Active Directory


[MUSIC] Jeevan Desarda: Hello, everybody. I’m Jeevan Desarda, I’m a Program Manager in Azure Active Directory and my core role is integrating different side of SaaS applications with Azure Active Directory and helping our customers like you to configure and deploy the apps. Today we are going to look into integrating different SaaS applications with Azure AD and how do you do the application integration. With the full package in there, first we will look into the what application integration means then we will move to the SaaS application integration types. We will also look for the demo and then you as a customer can request an application into App Gallery. So, we’ll see how do you request that particular with us. And moving that to the line of business application and how do you use application proxy as a feature to integrate your line of business applications with Azure AD. You all know that Azure AD as the control plane and this particular diagram depicts some of your components of your infrastructure what you have today. On the bottom left side, you will see the on-premise infrastructure then there is a Windows Server Active Directory where you have Azure AD taking identities from your Windows Server Active Directory to Azure Active Directory. And then there are partners and customers who you have invited using B2B and direct federation and then with these particular identities there are also participating into your Azure Active Directory. On the right hand side, on the bottom, you are able to see there are different kind of devices your organization is using. You might have laptops, PCs, iPhones, and all sorts of devices which you want to control and you want to make sure that they are secure and only users with the right set of devices are able to access. On the top right corner, you are able to see there are a different set of SaaS applications you have and there a different set of the other clouds including like Google Cloud or other sort of clouds you have. So, Windows Azure Active Directory fits in the center and it acts as the control plane. So, now if you want to view this particular picture with the application lens then you are able to see there are a different set of applications today. You have line applications which are on-premise and generally these are deployed on your servers or sometimes even in Azure in the IaaS infrastructure. On the right side, you can see there are devices which are using these particular applications and along with that, there are different SaaS applications and cloud platforms your users are using. You want to control all of that, and you want to secure your infrastructure so that when your users are using all these type of applications you should be able to take a complete control of it and at the same time, you should be able to give an interface to a user where they can seamlessly use these applications. When we look at application integration overview, there are usually two types of applications which we are talking about. First, is a SaaS application and then next is line of business application. In the SaaS application today, you can see there are cloud hosted applications, there are server hosted applications. And we will go into the details a little bit later but most of these particular SaaS applications today do support some sort of federation or the token based authentications so we’ll talk a little bit later about that. When you have line of business applications, we talked on like generally they are on-premise, and they’re installed on the server but if you look at the authentication types of how they authenticate, then majorly you are able to see there are Windows integrated authentication or either they have basics or forms based authentication where user types use a name and password. Or they are like a header based authentication, so which actually gets the information from the header and then the authentication happens. And then there are token based applications. So, all these types of applications your organization generally has it. We have seen customers are using line of business applications and SaaS applications together in the organization. When we look at like how you integrate these type of applications, you will be able to see Azure Active Directory App Gallery is made for SaaS applications. That means any of these SaaS applications if you are using in the organization, you should be utilizing that from Azure Active Directory Application Gallery. And we’ll see what the Application Gallery means. Azure AD application proxy feature focuses on how do you integrate these particular Windows integrated auth or basic/forms based authentication or header based authentication. Azure Active Directory also has a feature called non-gallery application or sometimes called as custom applications. These can be used for token based authentication particularly when you are using SAML or WS-federation as a protocol. When we look at the example of cloud hosted application, then you can think about like Box, Workday, Concur, or DocuSign as an application. In these applications, you as a customer will get your particular specific instance of the application. But these applications are hosted on the cloud and they are managed by that particular vendor or the partner. In the server hosted type of applications, your application is being hosted inside of your organization most of the time or in some IaaS infrastructure. So, but these SaaS applications, if you look at Taleo, Atlassian JIRA, and cloud, they provide the distribute tables to you so that you can install that on your servers and then it will help you utilize these particular applications. They also have sometimes the cloud version offered. Like Taleo has cloud version and Taleo also has a server version. Atlassian JIRA & Confluence also has a similar model and you can think more about SharePoint as like a very classic example of this where you can install SharePoint on your on-premise server, also you can actually utilize Office 365 for it. So, these are the different set of applications. Generally, what we talked about as cloud hosted or server hosted, these SaaS applications does support the federation that’s why you can utilize them form the App Gallery. Although it is server hosted app, you are still able to utilize it. You are able to find these templates and then able to configure it for single sign-on. So, let’s talk about Azure Active Directory App Gallery in a little bit more details. So, what the App Gallery means, it’s basically a templatized version of the applications which we have. And there are 3,000+ pre-integrated applications we have into the Azure Active Directory App Gallery. For all the federated applications we do have produced the documentation for each and every application. So, there are step by step tutorials of a level you can go to aka.ms/appstutorial as particular short URL and you are able to see all the tutorials over there. As I said in the agenda, there’s a program which Microsoft runs through which you are able to request us the applications to be added into the gallery. And the link aka.ms/azureadapprequest will provide you all the information about how that program works. Today on Azure Active Directory as a platform, there are 37,000,000 monthly active users who are using different third party SaaS applications with us. This is like an active count and this is growing super-fast. Some of the major applications which are applications like Workday or you are able to see Cornerstone OnDemand or the productivity applications like Salesforce, Concur, and other applications, you can see these applications are growing super-fast. We have seen that if you are using any of these particular applications which are listed on here, I hope you should be able to integrate application with Azure Active Directory and utilize our platform. So, these are highly integrated applications and highly used applications on our platform. So, feel free to take advantage of that. When we talk about centralizing application management in Azure Active Directory, it’s not just about single sign-on and user provisioning. Means single sign-on has been known for years and we are doing this for so many years, like your on-premise infrastructure like ADFS something where it has been configured, but that’s what Azure Active Directory also does support. But along with that, the other benefits of integrating application in Azure AD is taking the benefit of automatic user provisioning and deprovisioning. That means Azure Active Directory team has written some of the connectors based on the schema based on the EPAs of that application, so that you are able to directly to connect those applications from Azure Active Directory and provision user identities and group objects into those applications. It is not about provisioning, you are able to deprovision these users immediately. And that’s the benefit that you get in user provisioning and deprovisioning. For all the accessing of the application, Azure Active Directory does provide access panel as the portal so that your users can login and are able to seamlessly access any type of application from there. You can manage the risk of your application with conditional access, you can create different conditional access policies which are particularly specifically targeted to different applications and then are able to give this conditional access and can manage the risk. There is also sign-in logs and audit logs and provisioning logs available into the portal, so whenever your compliance or audit comes, then you are able to utilize this information for that. You can enable governance on those particular applications and the one major thing is you can manage everything from the cloud. You do not have to go to the VPN and login into the server and then manage some sort of identity or application from there, you can centralize everything into Azure Active Directory. And the last and not the least is you are able to manage remote access to on-premise applications even. In this particular case, user will never be able to come to know that like what type of application it is like whether it’s a line of business application which is a hosted application or which is a cloud application and you are still able to seamlessly access those particular applications from one portal. So, that’s the best possible experience which Microsoft Azure Active Directory can give to you. When we talk about application integration, let’s see what it means. In this particular picture on the left side, you might see your current particular model. And here Jim Bob is a person who is a user of organization Contoso, and he is using three different types of application. He is using Salesforce for sales application, Workday as an HR application and ServiceNow as a ticketing application. But you are able to see that Jim Bob has different kinds of identities into all three different types of applications. So, here for Salesforce he’s using [email protected], whereas in Workday he’s using his username as jim.bob and for ServiceNow at [email protected] So, from the user perspective it’s very difficult to remember three different set of usernames and passwords. Most of the time we have seen users are using either the same password across applications or some sort of passwords across different applications. Also, organizations cannot control access to those particular identities into this different application because those are owned by that particular business division. What we wanted to achieve here is you want to use Microsoft Azure Active Directory as the control plane as we talked about and let the user provide abilities so that he is able to use or she is able to use only his particular identity. One identity across sort of applications. That means here in this particular example, you are able to see Jim Bob is using his particular [email protected] as an identity logging into Salesforce and Workday and ServiceNow. So, that means he does not have to remember multiple passwords but at the same time he is able to just click on a button and log into these different types of applications with one credential. And that’s the benefit that users get. From the identity management and security perspective, when you look at you are able to see that when the application is integrated into Azure Active Directory, then your identity team and security team can take a control of that application. That means if Jim Bob today moves from sales group to marketing group, he might need access to another marketing application and he doesn’t need access to the Salesforce application. So, you can easily be able to remove his access from one application and provide an access to another application. Even you can write an automation for that using Dynamic groups which is another feature of Azure Active Directory. So, that’s what we’ve really wanted to achieve by doing an application integration as a first step as single sign-on with this. When we say SaaS application integration and utilizing Azure Active Directory, there are three different types of integration which we can come up with. That means first is a federated single sign-on and you might already have heard about what the federated single sign-on means but basically it enables the single sign-on based on any these federation protocol. My closed up Azure Active Directory does support different types of federation protocol including SAML 2.0, WS-federation, and Open ID connect OAuth. So, these are some of the major protocols today which have been by used by different vendors and partners and most of the identity provider does support that. These applications can consume directly token from Azure Active Directory and seamlessly alert the user login into these applications. Note that here, we are assuming that the user identity is present into that particular application. The second set of application is password single sign-on. The password single sign-on means if the application does not support any of the federation protocol then you are able to protect the users username and password or what his particular credentials into Azure Active Directory using the browser plug-in. So, Microsoft Azure Active Directory does provide the plug-in for three major sort of browsers. You are able to see it for Firefox, for Internet Explorer, and for Chrome this plug-in available. So, your users can install this particular plug-in, login into Windows Azure Active Directory and through that, all these particular users credential for a website can be vaulted into Azure Active Directory. Note that your browser plug-in is not going to vault your credential but it will through this particular plug-in the credentials will get vaulted into Azure Active Directory. And the last type of single sign-on we support is linked single sign-on. Here most of you must be using some internet site or you are using SharePoint. In that particular case, you want to create a link which appears on the access panel as a tile and then once clicking on that it should just redirect the user to a specific page. And this is a very common scenario which we have seen for SharePoint business sites or your internet sites and all that. So, in that particular case, you can use linked single sign-on. This is very similar to your favorite into any of the browser. That means you can just store a link for a particular page and you can make that as a tile into Azure Active Directory, and that’s called linked single sign-on. We talked about Azure Active Directory App Gallery. So, what the App Gallery means again is it’s inside the product we have built this particular experience for our mutual customers. So, this is a common space for all our mutual customers who are able to see it. When you go to the Azure Active Directory and enterprise application and you want to add any of the new application over there, you are able to see this particular experience where you are able to find any of the application. So, Azure Active Directory App Gallery provides all sorts of templates for all the applications. And as I said, we have 3,000+ particular applications and we are adding at least 30 applications a month, so we are going super-fast and you are able to find whatever application you need. All these applications do support different types of protocol like SAML, WS-Federation, or Open ID Connect OAuth for particular protocol. When you search for an application and select that application, you are able to see what type of single sign-on is supported for that particular app. Also, the page will show you the link of the tutorial so that before adding the application from the gallery, you can view that public documentation for that particular app integration. Along with that, we do have a custom app or a non-gallery application template. So, that means if you have any of the line of business application which has been developed using SAML 2.0 or WS-Federation as a protocol, then you are able to utilize this particular template. But note that you will require Azure AD Premium One license to use this particular feature. For line of business applications also we do have a separate tile called on-premise applications, so if you click on that then you can enable application proxy from here. We will talk an application proxy a little bit later but this is the experience from where you are able to add that. One more thing to note, most of these particular applications along with federation does support password single sign-on and linked single sign-on. That means once you add the application then you can decide what type of single sign-on you want to achieve with that application. Let’s deep dive more on the application side and particularly SaaS applications added from the App Gallery. In this particular thing you are able to see on the left side, this is the new experience which we have come up for SAML based single sign-on. We have seen a lot of these particular SaaS applications are suing SAML based federation or WS-Federation. So, that’s when you add the app and when you configure it for SAML based single sign-on, you will see this is the new experience for it. This is workflow which is more based on the steps so like 1, 2, 3, 4, so we will tell you like okay, you have to first configure the URLs for the application as a I said, you get your particular instance of the application for those cloud applications and you are able to configure those URL there. In the second set, you are able to configure the required claims for the application. Note that now whenever you are adding a new application from the gallery and if the application requires a custom set of claims, then you will automatically get those particular claims when you add the application. We will add the default values for it so you should ideally really view that particular claims mapping and change it if you need it. So, if you’re in this particular example, you can see the unique user identifier, it’s also called as name identifier in SAML specification is maped to userprincipalname but if you want to change that to an on-premise co-name then you can just click on the edit then you are able to change that. Also, now you are able to change the name ID format so there are different formats the specification talks about and there is a drop down for it too. I’ll show you this particular thing in the demo also. Azure Active Directory does support specific name ID format. You can set that and use that in your application. We have also now added extension attributes and directory extension as Name Identifier. Those who don’t know about what’s the extension attributes and directory extension means, I’ll just give a short one minute summary of it. Extension attribute are basically 1-15 are the placeholders which we have given you which you are able to utilize it from your Azure AD Connect. So, these are the exchange attributes basically and these are the 15 placeholders we have given you, so you are able to sync any of your on-premise Active Directory schema value into those extension attributes and sync that into that cloud and that’s how these particular values will be available into Azure Active Directory. Previously, very good example of that, previously we were not having employee ID as a first class attribute in Azure ID and that’s where a lot of our customers used to think that employee ID as an attribute from Azure AD Connect to an extension attribute through 1-15. You can use any of that and just able to sync it. And that will be available into the cloud. And then you are able to utilize that value as a name identifier value to send it to application. Similarly, we have directory extensions. Directory extensions are a little different than extensions attributes. So, we have seen that customers have varied schema on-premise AD so that if you have like your on-premise AD customized for a different user schemas, then you are able to sync those particular attributes into these directory extensions in Azure AD Connect. So, you need to enable this particular feature first in Azure AD Connect and then you’re able to sync those particular directory extensions in Azure AD through Azure AD Connect. These particular extensions generally appear like extension underscore, some particular alpha numeric value which is a GU ID number and underscore actually your attribute name. Here it can be like _employee ID or cost center or something on which one you want to sync it from your on-premise to Azure Active Directory. So, this is the facility of the new features which we have added. We have also done prefilling of value for the URL. So, for some for the applications when we note that the URLs are fixed, so think about Dropbox as an application which has a specific entity ID as Dropbox, we know about that so if you added that application you will see that the values pre-fill for you. Once you have that add the application you just need to lick on the save button because we will pre-fill that value for you into a correct box. You are also now able to download the different certificate formats including federation metadata XML file or the certificate and you are able to download them and give it to your vendor. There are two new cool features we have added which you can see we have [UNINTELLIGIBLE] them which is called one click single sign-on. Basically, it uses the form scripting technology and the problem with what we have seen is majorly IT administrators are configuring all of these applications in Azure Active Directory and most of the time on the application side also. But they don’t know anything about how you configure the application on the application side. And that’s the major problem. If they want to do that, they have to read the entire article which we have published on the internet and then just follow the steps along. There are some applications which has a huge amount of steps like look at ServiceNow or Amazon Web Services, it’s like 30 steps article where you need to follow the steps one by one. And if you miss any of these steps, then you’re not able to configure the single sign-on successfully. That’s why we came up with one click single sign-on. The one click sign-on functionality provides you an ability where you just click on a button and once you login into that particular application, we will automatically configure the single sign-on for you with your with your particular tenant specific values. So, that simplifies your configuration experience. You don’t have to learn what these particular values and where it goes. And as we know already this particular navigation and fields, so we can autofill those values for you. And I’ll show you that experience in my demo too. Along with that, we have a test functionality. The test functionality gives you an ability where you are able to test that application yourself through your browser and you are able to capture the SAML request and response. You’re also able to see the SAML response which has different values or the token values like name identifier, certificate details, and the claim values. So, if you face any kind of errors into the integration, the test functionality will detect that and will tell you more about that particular error message. At the same time, it will also tell you what’s the fix for it. There will be a button called fix button, particularly will appear on the page and by clicking on that, it will automatically fix the error for you. Note that for both these functionalities like like one click single sign-on and test functionality, you need to install my secure extension browser plug-in in your browser. So, if it has not been installed, it will instruct you and give you a direct URL through which you are able to download and install this particular extension in your browser. And you need to login into that particular extension with your Azure Active Directory credentials and then you are able to utilize these two features. So, I suggest highly try this out. It is an https://aad.portal.azure.com. This is the URL and when you add the application, you are able to utilize all these features. The next set of applications which you are able to see from the App Gallery is about the consent or Open ID Connect OAuth based application. So, for these particular set of applications, you’ll see that there is no sale button over there or add button over there but there is a link given for sign up. Ideally, we expect that when you search for an application and there’s no add button there will be a sign up link given. So, by clicking on that particular link, it will take you to the page where you are able to login and provide a consent to the application. Now we will see what the consent means. Basically, Open ID Connect is another federation protocol which has been used. And in Open ID Connect OAuth along with authentication it also talks about authorization. Authorization means different set of permissions, that application needs from your particular directory. You are able to see that if you’re using your mobile applications or if you go to the Apple store of the Google Android Play store, you are downloading applications and it will ask about do you want to give access to camera or contact or something like that, it’s a very similar kind of experience we have. We call this particular experience called consent to an application. This will show which particular application it’s trying to access your Azure Active Directory and what permission it needs to log in with your credentials. This particular permissions box has been shown over there if you look at the second picture in that particular slide, it is asking for sign-in and read user profile. This is a very common permission most of the applications are using. That means the application wants to read your user profile from your token and that means its basic information like your first name, last name, your name, your email address, and your UPN value. So, that’s like a basic set of information. If you accept this then click on the accept button and the application will get automatically added into your enterprise application and from that point onwards you are just able to manage that application. The box which has been shown over here it’s consent on behalf of your organization is only visible for administrators. That means if you are a global administrator of your Azure Active Directory and providing a consent to the application, then at that time, you can say consent on behalf of your organization. So, think about the scenario where you are deploying this particular application for thousands of users in your organization, you do not want users to see this particular screen and everybody to click on that accept button because half of the people might not know what it means and they might call your help desk or support desk and ask about this. So, this is ideal condition where you can check this box say consent on behalf of my organization and accept it. That way you are providing a consent on behalf of all your users into the organization. And they are not able to see this particular screen and they are directly able to log into your application. Enterprise application has an audit log into which if you look at the activity as consented applications, then you are able to see different consented applications which have been used in your organization. The 30 day report over here shows that different applications which my users have consented to and the list appears over there. From that point onwards, you are able to manage these applications into your enterprise application page. Manage means you can provide a set of users and groups access to that application, you can enable conditional access policies to these applications, and so on and so forth, like multi-factor authentication or device based conditional access policies. But that’s how you should be using Open ID Connect OAuth applications from our App Gallery. Sometimes you’ll see that the application is not in the gallery but somebody just consented for an application, those will also appear into your enterprise application page. So, one of my requests to all IT administrators and all the IM and security team is keep an eye on this particular audit log and that will tell you which of the different applications has been added into your organization so that you can take control on that. Let’s go and deep dive into the demo now. The first thing you have to do is log into the Azure management portal. And if you do not know about the short URL then I suggest that you should be using aad.portal.azure.com. With this particular URL when you log in you are able to see only the short particular or any a small set of navigation on the left. That means if you’re using day in and day out, the Azure Active Directory only in Azure management portal, then you should be using this URL. As I said, the simple is aad.portal.azure.com and you log in with your credentials. And you are able to see the screen. Enterprise application option is also being shown on the left so I click on that and I’m directly logged in and I’m able to see all applications which have been configured for single sign-on. All these applications I am able to manage from this page. Also, I am able to search more particular applications by putting a value over here, I am just able to see. Okay, so this is my Samanage application which I have over here. Or if you want to see a more set of application then there is a load more button at the bottom. You can just click on that and you are able to see a laundry list of all your applications which you have configured for single sign-on and user provisioning. You are able to add new application by clicking on this particular button. So, when I click on new application over here, it actually takes me to the experience of the Azure Active Directory App Gallery. So, here you are able to see there are 3,200+ applications available into the App Gallery and I am able to search any application from this particular search box. So, I’m going to search for Salesforce over here and you are able to see there are two different Salesforces applications we have. When I click on the application, the application shows the different single sign-on modes available for that particular application. Also, it provides me the link for documentation. So, I click on this particular link and it takes me to that particular specific documentation. All these particular documentations are published in different locale. So, based on the browser locale it will render the particular article. So, I have said this is English so that’s why it’s available right now in English. But this particular article provides me all the configuration details which have to do for that app in Azure Active Directory and also it provides me the steps on the application side. That means how do I configure the single sign-on in Salesforce application? That’s also been shown over here. You just need to follow this particular tutorial step by step to make sure that you are able to configure single sign-on and test it out. There are 1,000+ articles over here on the left hand side so the easiest way on this page if you want to do it is just search for different articles and then you are able to find that particular articles. So, here I’m typing about DocuSign and you are able to see DocuSign has been supported with single sign-on and also with user provisioning. So, clicking on that particular link takes you to that particular page where it shows the how do you configure single sign-on with DocuSign. If you want to see all the articles which we have then I suggest to use aka.ms/appstutorial as a short link so that you are able to see the entire set of applications of the index page where we have given the quick links, you are able to search it and all the one click single sign-on supported applications. So that way you can easily find your application and read about how do you configure single sign-on and user provisioning for those applications. Let’s go back to the application App Gallery over here. As I said, if you cannot find any of the application into the App Gallery, it will show you a message like click here to request the application to be added into the gallery. So, this is another program which we talked about where if you cannot find the app you can request, you as a customer can request an application to be added into the App Gallery. We also talked about the non-gallery application template or the custom application which supports SAML based single sign-on and automatic user provisioning with SCIM along with password single sign-on. So, that means if you are configuring any of your line of business applications which support SAML or WS-Federation as a federation protocol then you are able to utilize this template. We highly recommend that you do not use this template for different SaaS applications and the reason for that is once we enable user provisioning for an app, you are not able to utilize that. You might be able to configure single sign-on with it but you’re not able to leverage the user provisioning features which we publish for that app. If you added the application from the gallery, then you will be able to get an ability to do single sign-on and user provisioning with that particular application. So, let’s see DocuSign over here. So, I search for DocuSign, I am able to find that particular app and now before adding, I am able to change the app name or even after adding you are able to change the name of the application and also the icon associated with that application. DocuSign in Contoso organization might be considered as e-sign application or e-signing application or Contoso. So, I can rename that to Contoso e-signing or document signing or whatever the way I want. Once you add the application, you will be adding the template of that particular application into your tenant or into your Azure Active Directory. For now I’m not going to add that, I’ve already added DocuSign as an application so let’s look for that application into enterprise application. So, I’m searching for my DocuSign application and I do get that, so I click on that DocuSign application and it goes to the single sign-on page. So, once you click on the single sign-on, first thing you will notice is that it will give you this page where it says this application does support SAML based single sign-on, password single sign-on and linked single sign-on. Disabled is the default mode that means you’re disabling the single sign-on. But now if you want to enable single sign-on, the reach and secure authentication experience that you get is with SAML based or any of the token based federation single sign-on. So, let’s click on that and then it will take you to the page where you are able to configure this particular app. There is also a configuration guide link given for which you are able to read the documentation for that specific app. So, it’s also available here. The first thing that you need to do is configure the URLs. When you click on the edit button of that, some of these URLs will be auto populated sometimes but otherwise you will be able to see different patterns which we support for that application. In case of DocuSign edit first you need to just add your organization specific URLs which I’ve done it over here and once I do that then I am able to go into the user attributes and claims. If you do not know then right now you can just populate the URLs as a dummy URL set of URLs you want. And then just look at the claims. The claims information is the different set of values which you’re sending into the token. That means what kind of information you want to send from you Azure Active Directory to that particular SaaS application. So, here Azure Active Directory by default gives certain set of claims information that means it’s given name, surname, and email address are default claims. Along with the name identified. So, as I said, in Azure Active Directory we call this as unique user identified and name ID. And right now, the value which is being populated for that is user principal name. So, as I talked in the previous slide, so Azure Active Directory does provide different formats of the name identifier. So, these formats are here so you are able to see email address, persistent and specified and Windows domain qualified name are the different formats which Azure Active Directory does support. Transient is not been given specifically because it’s a transient value so if applications request for transient then we will provide that particular format and the associated value with it. The default is the default setting so that means if you have not set anything, keep it the default and based on the request we will evaluate and resend the value back. There is one more feature which we recently enabled called claim conditions and what it means is basically you can actually do a conditional claim evaluation in this particular user experience. You are able to in the previous world, you might have seen the conditions where if the user belongs to sales group then I want to send sales as a value. So, basically, if it is a condition where you are checking the users membership and based on the membership you are sending some sort of values in the token. This is what Azure Active Directory does support, and you are able to say that if it’s any user which is part of my particular suppose here I’m seeing finance group. I’m selecting that and then I want to send the fixed value as finance over here so I can type that directly and I can select it from the dropdown. And then I can say this particular value again if the user belongs to any of the HR particular group then send the attribute as HR. So, basically what it does is it actually sequentially checks those particular things in order so if the first condition has been meet then it will not go to the second condition. But if the first condition isn’t met then it goes to the second condition like that. And it goes evaluating multiple conditions on the fly. Here I have right now chosen the fixed values but you are able to choose any of the dropdown values also or you are able to apply transformations. But this is what the ability which we have recently come up with and that’s available for name identifier and all other claims also. I’m not going to save this, so I’ll just say discard right now. And going back to the user attributes and claims. If you want to add a new claim then you are able to add it from here. So, you are just able to give the claim name, suppose organization ID I want to provide, and I can just see source attribute I want to give it some of my name or I am also able to type in again the fixed value over here. I can also use the claim conditions over here. In the transformations, we have recently come with the multiple set of transformations. If you have not looked at this, then I highly recommend you look at this. And this will help you to build if and else sort of conditions in the claim. So, you can say if this particular value is a user or department I’m just selecting, if empty, that means if user.department is empty then provide this kind of value, which might be just ID, for an example. I’m just taking this as an example value here, but here you are able to add different set of conditions and it will show you at the bottom like what condition you are evaluating. You can also add else condition over here. So, if user.department is blank then have IT or if there is no output on that then provide else something like that. And you are able to use these particular conditions for your claims. Let’s quickly go back and now we will focus on the different notifications. So, every application which you’re able to add from Azure Active Directory, you are able to see there is a three year valid expiry online certificate created for every application. That means for every customer or every Azure Active Directory tenant, every application which is enabled for SAML single sign-on has three years valid expiry online certificate attached to it. You are able to configure different notification email address over here, we highly recommend that you configure the distribution list so that multiple users can get a notification. All these notifications goes 60 days before the certification expiry, 30 days, and 7 days before the certificate expiry. That means you’ll be receiving three notifications from Azure Active Directory that will tell that you certificate is going to expire and you need to rotate the certificate. You are able to click on the new certificate and create a new certificate for it or you can also import a certificate. Note that while importing the certificate, you need to enter your PFX password because you will be managing the security of that particular certificate and not Microsoft Azure Active Directory. That’s how the difference is. Or if you have a scenario where you have multiple applications, one to use the same certificate then we suggest to use import certificate upload share. As I said, I’ll promise I’ll show you the DocuSign single sign-on, the one click single sign-on functionality but note that for this particular thing to enable, you need to have my app secure sign-in browser extension plug-in. If this plug-in is already installed, you’ll see a message. If it is not installed, then it will provide you a link for which you are able to go to the browser marketplace and are able to add and sign-in with that. So, here in this particular scenario, you are able to see I am already logged in with my organization credentials and now I am able to click on set up DocuSign. With this, when I click on the set-up DocuSign, it shows the thing that you want to save this particular certificate. I’m clicking on the save button and I’m downloading this particular certificate. I’ve downloaded the certificate and now the box appears at the top saying that confirm that you have the SAML certificate you have downloaded. As I click on the OK because yes I have downloaded already, and now it is asking me saying that login into DocuSign with your admin credentials. So, I put my username and this is my password, so I’m logging in the DocuSign with my admin credentials. And the next thing that happens is it is telling me saying that Azure Active Directory can autofill all the values for you and enable single sign-on for your enterprise, do you want to proceed? I’m going to click on the yes button and you are able to watch seeing that this actually opens up the page automatically, fills out the values and you are able to map this identity provider issuer URL, login URL, and logout URL, all of those are populated based on my tenant. So, here if you look at the login URL which starts with some 4F7, so here all those values are correctly populated, options are correctly selected, and then there is also a certificate which is attached. You can add a certificate manually if you want and map that particular certificate to your identity provider. Note that you are able to save this configuration right now but you are able to edit this configuration at any point in time. Here right now I’ve mapped email address to my particular attribute so that the user mapping can happen. But if you want to have a different kind of mapping, you can just save it and then edit this configuration. Basically, we provide the default mapping for you but you are able to customize that at any point of time. Right now, I’m just clicking on the okay button and you are able to see the configuration has been saved and then next thing that happens is it automatically switch back to my Azure Active Directory portal. So, it gives me a message saying that autoconfiguration is complete and I am able to now test the single sign-on experience. So, the one click single sign-on as I said gives you ability to do this automatically configuring single sign-on for that app. Today, we have like 50+ applications, we are looking towards hundreds of applications like this through which you are able to do this one click single sign-on. And if the application is enabled for one click single sign-on, you are able to see that button up here and go here. Let’s do the test single sign-on experience what it means. When you click on the test it provides you saying that now you are able to do a test with DocuSign. There are two options, sign-in as current user and sign-in as someone else. That means I am able to sign-in into DocuSign as my current user and I am able to test this single sign-on. So, let’s first do a sign out so when I click on okay to automatically sign me out from that, and let’s go back to Azure Active Directory and now clicking on the sign-in as current user what happens is basically it performs the SAML request and response are getting generated and it actually captures all these particular token values. So, here you are able to see that the token signing certificate details have been given. These are the different claims which have been issued in my token and this is what the name identified format and the value looks like. So, this is the ability which you are able to get, this will help you troubleshoot your particular single sign-on and look at like how the single sign-on is working. If you face an error you are able to see an option over here which auto populates the error message and says this is the remediation for that and by clicking on the fix button, it automatically fixes it. You can also click on sign-in as someone else which will prompt for credentials on the Azure Active Directory so you are able to sign this will somebody else and basically able to capture these particular token values here. That’s how you should be using the test experience. There are also options for conditional access over here so you are able to configure the new conditional access policy for any app. One of the important things to remember that whenever you are adding a new application from the gallery, you will be able to change the name, you can update the icons for it. But another feature is user assignment required. By default, this is set to yes for every gallery application. That means whenever you are adding an application from the gallery, you need to assign that particular application to specific set of users and groups. We start with the concept of security where the minimum access first and that’s where the user assignment required is set to true. You can go to users and groups and add different users and groups by clicking on the add user button and then you can assign that particular user and group for that particular application. That way only those set of users and the group members are able to access the application. If you want to look into the logs, you can look at the activity and see the sign-in logs and also look at the audit logs as needed. There is also a deployment plan available which you are able to download for an application and able to use it as you need it. The next set of application what we would like to see is consent based application which we talked about it so let’s search for an application called Livebooklet or Simplebooklet and you are able to see there is no add button over here but there’s a sign-up link available. So, either you are able to click on this particular link or you can go to that particular application directly and click on the login button. Most of the time you are able to see the login with Office 365 or login with Microsoft as a button so your users can directly go to those websites and click on the login with microsoft.office365 as a button and what it does basically it prompts you for authentication and you are able to see in the request it’s an OAuth based application and it’s making OAuth request. So, I select my particular application and with that, it’s now calling me for an MFA so I can select my MFA and after that it will prompt me for an authentication. So, either I can use my authenticator app to approve the request or I can do it an extra call as needed. But once you do this particular it will prompt you for the consent permission as I’ve shown in this particular slide and then once you provide a consent to the application, the application automatically gets added into your Azure Active Directory. So, right now I’m not going to do this. Or let me try with another application might be. Okay. So, here you are able to see I’ve tried with another set of credentials and you are able to see Simplebooklet is an application which is trying to sign you in and read your profile. This is the basic permission. If I click on the accept button basically I am directly able to login into that application. Right now, you have seen that it doesn’t show me the other box consent on behalf of and that’s because I’m not an administrator. But here I can simply start using this application and I am able to get a seamless single sign-on along with Open ID OAuth application. So, basically first I’m going to use it only prompts for me and consent and then then next time if I go and log into that application with my credential, it doesn’t show me that particular consent screen and I am simply able to login into that application. So, that’s what the experience looks like. One more thing which we talked about is the audit logs and as I said on the audit logs if you look at the activity consent to an application, that shows the option where the different set of consent application have been added into your tenant. So, when you click on this consent to an application, it will filter down all the audit logs to show only that particular activity. So, you should be doing this on a monthly basis so that you are able to see different set of applications which has been added into your tenant in the last one month. Let’s go back to our slides again one more time. And then we will proceed further. One of the common questions which we always get from all of our customers is about there are different set of options for the application in Azure Active Directory. One is application registration, another is enterprise application. So, let’s clarify what are the use cases for these two different set of features. Application registration is for your developers who are developing applications inside your organization or there is a partner who is developing applications for you. It uses Open ID Connect OAuth based application. There is no claim configuration UI available below there but we recommend that you should be using Microsoft Graph for different set of information if you need. Versus the enterprise application is more for SaaS applications where you can provide a consent to an application, you are able to add SAML application and configure it for single sign-on or use it for user provisioning. You are able to restrict access, you can apply different conditional access policies to it, and you are able to see the reporting sign-in logs and audit logs. We know that these two options today confuse our customers and that’s where we have a plan to merge these two options into one so that we can provide one consolidated view. But that’s something still in the future. As I explained there is a program that Microsoft runs called Application Integration Program for our customers where you as a customer can request different applications into the App Gallery. So, our Customer Integration Team actually received these particular requests and work with those particular vendors to get them added into the App Gallery after we test these applications. And once the application is available into the gallery, then you are able to utilize the single sign-on and user provisioning feature associated with that particular app. There’s a publicly documented process for it so just click on the link aka.ms/azureadapprequest and use Microsoft application network portal for it for ISVs and customers where you are able to submit and track this request. The short URL for that is aka.ms/azureadlistyourapp. The Microsoft application network portal experience looks like this where once you login into the portal, you as a customer are able to click on the links see submit request by customers and you can submit a new request over here. Remember that please provide us your partner or the vendor related information so that we can work closely with them and get them added into the App Gallery. If you are directly suggesting your ISVs or partners or vendors or you are a partner or a vendor who has developed a SaaS application, then you can directly submit the request with us in this portal saying submit request by ISVs. And just clicking on the list application into the gallery button, it will start the workflow for you where you have to answer a few of the questions and then you can submit the request with us. The next set of things which we talked about is how do you integrate the line of business application with the application proxy. So, we have seen application proxy as a feature available into the App Gallery where you are able to add the application. But once you start adding the application, the first thing which will happen is about, it will show you a link to download the connectors. So, if you look at the picture and details over here, you are able to see there is an on-premise infrastructure you have where different applications are running. We have taken example as http://sales as an application. So, it’s a sales application which has been hosted on-premise. We recommend that you download our connector from our application proxy page and once you install that particular connecter on your on-premise infrastructure then it will start making an outbound connection to Azure Active Directory. And with that, you do not have to poke holes into your DMZ or any of your security devices because all these connecters are making the outbound request. With this particular application configuration, you are able to configure your internal URL and we will generate the external URL for it. This external URL can also be rebranded based on your organization. So, for this example over here, we can see over here it’s http.sales.contoso.com. So, that means we have rebranded this particular URL which is specific to the organization. With that, user can directly do a pre-authentication before going to that particular application. Pre-authentication means user can actually do Azure AD authentication and once he does the Azure Active Directory authentication, our connecter actually converts that particular token into a Kerberos token and present to the application. So, this is called Kerberos constrain delegation. In this particular scenario, if the application supports Windows Integrated Auth and supports Kerberos particular token then that is directly presented by our connector. And with that, the user is seamlessly able to login into that application. That’s how they get the seamless single sign-on experience. If the application support the simple form space authentication or basic authentication, they’ll be seeing the username and passwords. And one page for you as a customer over here is you can apply different conditional access policies and look at the sign in logs and audit logs for those applications so that you are able to easily secure your on-premise applications with Azure Active Directory. We do have certain features in application proxy like you can translate the URLs and headers and translate the URLs into the body but those are some of these features required for header based applications. And in the last like if you look at the user journey, from the perspective of a user, they are able to login into the access panel for myapps.microsoft.com. and all these particular applications which are assigned to the user have been presented on that particular page. I, as a user, don’t have to worry about whether this is a SaaS application or line of business application, by clicking on that particular, any of these particular tiles will provide the seamless single sign-on experience for a user. And the user is able to login into that particular application directly. Along with that, access panel does provide another ability where I’m able to change my password, I can register for self-service password reset. If I’m associated with other different organizations participating in the B2B or business to business as a guest, then I am able to sign-in and leave those organizations based on GDPR compliance. All that goodness is there in the access panel so we highly recommend that you in your organization should be using myapps.microsoft.com or access panel so that you are able to provide a seamless experience for all your users to use these applications. Check out our awesome resources for this particular Azure AD blogpost. We have request to your new applications and tutorials, so all these particular links are given. Feel free to click on it and then you are able to explore all our resources. Thanks for being with us. This is a great experience. Thank you. [MUSIC]

Leave a Reply

Your email address will not be published. Required fields are marked *