Azure Active Directory (Azure AD) is a cloud-based identity as a service (IDaaS) solution. It is a secure online repository for user profiles and groups of user profiles. Azure AD is designed to manage access to cloud-based applications and servers using modern authentication protocols such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation.
Azure AD Single Sign-On (SSO) is an Azure AD feature that allows users to conveniently log into SaaS applications. It gives each user access to the full suite of applications they need, without needing to log into each individual application. Azure AD creates an access token that is stored locally on the employee’s device. These tokens can be configured to expire after a certain period. To further enhance security, Azure AD can also enforce multi-factor authentication (MFA).
In this article:
Consider a user who wants to access a business application deployed on-premises via Azure AD. The company has both locally-deployed Microsoft Active Directory and Azure AD. It has created a hybrid setup by enabling Azure AD Seamless SSO via Azure AD Connect.
The following diagram illustrates how SSO would work in this hybrid scenario.
Hybrid SSO authentication process:
Related content: Read our guide to SSO authentication
Several methods can be used to configure applications for SSO. The chosen SSO method will depend on the specific application’s authentication configuration.
For example, a cloud application might use OAuth, OpenID Connect (OIDC), or SAML to enable authentication, with single sign-on enabled or disabled. An application hosted on-premises might use a header- or password-based authentication method, IWA SSO, or linked SSO. The on-premise options require configuring the application for Azure Application Proxy.
Various authentication protocols can support SSO in Azure AD:
See how Azure AD compares to other Single Sign-on solutions and SSO providers
Here are the steps involved in setting up SSO in Azure AD.
Several prerequisites must be in place to support SSO. Before configuring single sign-on:
This step involves enabling seamless SSO via Azure AD Connect. If freshly installing Azure AD Connect, select the custom installation option. Select Enable single sign-on on the User sign-in page.
If Azure AD Connect is already installed, go to Change user sign-in in Azure AD Connect and choose Next. The default selection is Enable single sign-on for versions 1.1.880.0 and up of Azure AD Connect. For older Azure AD Connect versions, it is necessary to select this option explicitly.
Follow the configuration wizard to the Enable single sign-on page. Specify the domain admin credentials for every Active Directory forest that syncs to Azure AD via Azure AD Connect or requires seamless SSO. Once the wizard finishes, it will enable seamless SSO on the tenant.
Use the following steps to verify that seamless SSO is working correctly:
1. Go to the Azure AD admin center, using the global admin credentials for the tenant to sign in.
2. Choose the Azure Active Directory option on the left.
3. Choose Azure AD Connect.
4. Check the Seamless single sign-on field to ensure the feature is marked Enabled.
Frontegg can help enforcing complex SSO flows with native integration of Azure AD using SAML. While it was previously required to configure Azure AD SSO manually by using the Azure AD SAML Toolkit, Frontegg makes the whole process self-served. You’re good to go with just a few clicks. Mapping Active Directory (AD) groups and assigning them granular permissions as per your specific roles is also extremely easy. Multiple use cases? No problem. Frontegg is also multi-tenant by design. User management was never more easier.
Start For Free