Search Results :

×

Azure AD Multi-Tenant Single Sign-On (SSO) for ASP.NET Applications


What is Azure AD multi-tenant?

Azure Multi-tenant refers to a mode of operation in which a single instance of an Azure service or application serves multiple customers, known as tenants, in a shared environment. In this mode, each tenant is isolated from one another, and the user data of one tenant are inaccessible to other tenants.

Azure multi-tenant also provides benefits such as increased scalability and cost-effectiveness, as physical resources such as storage can be shared across multiple tenants, and the ability to quickly onboard new customers and expand services to new markets. However, it also requires careful design and management to ensure that tenant data and resources are properly isolated and secured.


Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - How multi-tenancy works in ASP.NET using miniOrange module

Steps to configure Azure AD multi-tenant Single Sign-On (SSO)

1. Configure multi-tenancy in Azure AD

  • Log in to Azure AD Portal as an admin.
  • Select Azure Active Directory.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Select ASP.NET Azure Active Directory
  • Select App registrations.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Select App Registrations
  • Click on New registration.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Click on New Registration
  • Assign a name and choose the supported account types as Accounts in any orgnaizational directory (Any Azure AD directory - Multitenant).
  • In the Redirect URL field, provide the ACS URL provided in the Service Provider Metadata tab of the plugin and click on the Register button.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Choose Azure AD supported account types and Redirect URI
  • Navigate back to the Overview tab of your active directory, copy the Primary Domain and keep it handy.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Copy Primary Domain
  • Copy the Application ID from the configured app and keep it handy.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Copy Application ID
  • Navigate to Expose an API from the left menu panel.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Navigate to Expose an API
  • Click the Set button and replace the APPLICATION ID URL with https://Primary_Domain/Appication-Id that you have copied previously and click on Save.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Add the primary domain copied earlier
  • Go to the Authentication tab in the left panel and select ID Tokens (Used for implicit and Hybrid flows) option also make sure supported account types is Accounts in any orgnaizational directory (Any Azure AD directory - Multitenant) then click on Save.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Select Azure AD Authentication and choose the account type
  • Navigate to API PermissionsAdd Permission and select Microsoft Graph.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Select Microsoft Graph
  • Click on Application permission, then search for User.Read.All once the option is selected then click on Add permissions button.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Search for User.Read.All
  • To proceed further click on Grant Admin Consent for Demo.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Grant Admin Consent
  • Go back to Azure Active DirectoryApp Registrations window and click on Endpoints.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Navigate to Endpoints
  • This will navigate up to a window with multiple URLs.
  • Copy the Federation metadata document URL to get the endpoints required for configuring your service provider.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Copy Federation Metadata Document

2. Configure ASP.NET as Service Provider

  • Paste the Federation Metadata URL in the Service Provider Setup tab of the plugin and click on Fetch Metadata.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Upload Azure AD Metadata
  • In the IdP configuration settings, check the Multi-Tenant Application option.
  • Azure AD Multi-Tenant Architecture
  • Paste the Application ID URI from the Expose an API tab and paste it in the SP Entity ID/ Issuer under the Service Provider tab.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Paste Application ID URI
  • Also replace the SAML Login URl and SAML Logout URl with https://login.microsoft.com/common/saml2 then click on save.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Restict or Allow Tenant ID
  • Go to the Login Settings section, under the Additional Configuration setting, choose to restrict or allow particular tenant IDs to perform Single Sign-On and add the comma-seperated tenant IDs.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Restict or Allow Tenant ID
  • Click on the test configuration and login with the tenant admin for the first time to allow the SSO login for that tenant.
  • Microsoft Entra ID (formerly Azure AD) Multi-Tenant Architecture - Accept Permissions

We have successfully configured Microsoft Entra ID (formerly Azure AD) as an multi-tenant application as well as configured SAML Single Sign-On (SSO) for ASP.NET application as service provider and Azure Active Directory as an identity provider. We can also configure SAML Single Sign-On (SSO) for ASP.NET applications using various identity providers such as ADFS, Okta, Google, Auth0, PingFederate, Microsoft365, Salesforce and many more. To check other identity providers, click here.


Additional Resources

Need Help?

Not able to find your identity provider? Mail us on aspnetsupport@xecurify.com and we'll help you set up SSO with your IDP and for quick guidance (via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.

Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com