Wednesday, February 03, 2016

AAD : Some protocol conversion

If you've ever looked at Auth0, you'll know that it's basically a circle that handles all the protocols and conversions and all applications and IDP's have one connection to the circle. Anyone can connect to anything.

You can come in with OpenID Connect and a JWT token and exit with SAMLp and a SAML token.

The same kind of thing happens with Azure AD where you have a federated tenant using ADFS for the authentication.

The user accesses a .NET application that uses the OWIN OpenID Connect stack to connect to AAD.

Something like:

GET https://login.microsoftonline.com/866...c0/oauth2/authorize
?client_id=98e...a73b006
&redirect_uri=https%3a%2f%2myapp.com%2f
&response_mode=form_post
&response_type=code+id_token
&scope=openid+profile
&state=OpenIdConnect.AuthenticationProperties%3dx...XbjvpmEy
&domain_hint=company.com

If you are wondering about the "domain_hint" see here: Using Azure AD to land users on their custom login page from within your app

AAD sees that this is a federated tenant and hands off to ADFS. The default for the Microsoft stack is WS-Fed.

Something like:

GET https://my-adfs/adfs/ls/?username=&wa=wsignin1.0&wtrealm=urn%3acompany
&wctx=abc...C7_3-B_AU1 

So AAD has done a protocol conversion from OpenID Connect / OAuth (oauth2/authorize) to  WS-Fed (wa=wsignin1.0).

Enjoy!

No comments: