{"id":6616426,"date":"2022-09-27T12:47:37","date_gmt":"2022-09-27T12:47:37","guid":{"rendered":"https:\/\/www.openathens.net\/?p=6616426"},"modified":"2024-03-19T10:53:04","modified_gmt":"2024-03-19T10:53:04","slug":"microsoft-azure-ad-as-our-identity-provider-in-an-identity-federation","status":"publish","type":"post","link":"https:\/\/www.openathens.net\/blog\/microsoft-azure-ad-as-our-identity-provider-in-an-identity-federation\/","title":{"rendered":"Microsoft Azure AD as an identity provider in an identity federation"},"content":{"rendered":"
The short answer is \u2018no\u2019 for most identity federations, but there are solutions to use Azure as your primary identity provider for federated access to resources.<\/p>\n<\/div>\n\n
Single sign-on systems such as Microsoft Azure AD can handle bilateral connections with a service provider. So why can\u2019t they be used as an organization\u2019s default identity provider in an identity federation?<\/p>\n<\/div>\n\n
Some identity federations require registering organizations (ie. your institution) to own or have permission to use the domain in the entityID. But Microsoft Azure entityIDs are in the windows.net domain, so you need permission from Microsoft to use their domain name.<\/p>\n<\/div>\n\n
Azure AD only supports bilateral SAML connections<\/a> which means it is not scalable for federated single sign-on.<\/p>\n<\/div>\n\n There are also interoperability issues<\/a> with:<\/p>\n<\/div>\n\n Personally Identifiable Information (PII) is released by default, but you can turn this off.<\/p>\n<\/div>\n\n The simple solution<\/a> to using your existing Azure AD is to connect with a SAML Identity Provider proxy such as OpenAthens hosted Identity Provider service<\/a>, your Shibboleth Identity Provider<\/a> or other proxy service. This will give your end users a full single sign-on experience.<\/p>\n<\/div>\n\n Many institutions have successfully integrated Azure with an Identity Provider proxy. Given the powerful service that Microsoft systems enable, why not use what you\u2019ve got already and add capability for federated single sign-on?<\/p>\n<\/div>\n\n Identity Provider proxies do more than just integrate with user directories. They can connect with a wide range of other library and institutional systems<\/a>. These include inter-library loan services, discovery services and learning environments.<\/p>\n<\/div>\n\n Connecting all your institutional services to an Identity Provide proxy leads to a more seamless user experience and frees up time that may be spent on workarounds and resetting user accounts.<\/p>\n<\/div>\n\n We take the time to get to know you and your requirements so we can support every aspect of user access to your resources and services. We\u2019ll work closely with your team, resource providers and other third parties to ensure a smooth integration process.<\/p>\n<\/div>\n\n\n
User considerations<\/h3>\n<\/div>\n\n
How to connect your Azure directory to an identity federation<\/h3>\n<\/div>\n\n
Other stuff you can integrate with<\/h3>\n<\/div>\n\n
More information<\/h3>\n<\/div>\n\n