Can we use Microsoft Azure AD as our identity provider in an identity federation?
We outline the key reasons that make it tricky to use Microsoft Azure AD as an identity provider in an identity federation and some of the solutions.
The short answer is ‘no’ for most identity federations, but there are solutions to use Azure as your primary identity provider for federated access to resources.
Single sign-on systems such as Microsoft Azure AD can handle bilateral connections with a service provider. So why can’t they be used as an organization’s default identity provider in an identity federation?
Some identity federations require registering organizations (ie. your institution) to own or have permission to use the domain in the entityID. But Microsoft Azure entityIDs are in the windows.net domain, so you need permission from Microsoft to use their domain name.
Azure AD only supports bilateral SAML connections which means it is not scalable for federated single sign-on.
- Connectivity. Unable to consume multi-lateral federation metadata.
- Access. Does not support privacy preserving attributes eg. eduPersonUniqueId. Also, some vendors still require identity providers to release the deprecated which Azure does not support.
- Security. Does not support SAML encryption and signature verification by default.
- Potential vendor lock-in. Microsoft do not allow you to configure the entityID.
Personally Identifiable Information (PII) is released by default, but you can turn this off.
How to connect your Azure directory to an identity federation
The simple solution to using your existing Azure AD is to connect with a SAML Identity Provider proxy such as OpenAthens hosted Identity Provider service, your Shibboleth Identity Provider or other proxy service. This will give your end users a full single sign-on experience.
Many institutions have successfully integrated Azure with an Identity Provider proxy. Given the powerful service that Microsoft systems enable, why not use what you’ve got already and add capability for federated single sign-on?
Other stuff you can integrate with
Identity Provider proxies do more than just integrate with user directories. They can connect with a wide range of other library and institutional systems. These include inter-library loan services, discovery services and learning environments.
Connecting all your institutional services to an Identity Provide proxy leads to a more seamless user experience and frees up time that may be spent on workarounds and resetting user accounts.
We take the time to get to know you and your requirements so we can support every aspect of user access to your resources and services. We’ll work closely with your team, resource providers and other third parties to ensure a smooth integration process.
Go to our docs to find out how to configure Microsoft Azure as an authentication provider of OpenAthens.
Need some help?
For a small fee, our team can help you set up your local directory integration. We're there every step of the way!