cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Can we use Azure AD for SSO to SaaS applications if we already use ADFS for SSO to Azure/O365?

Andrew Colombino
Brass Contributor

‎Dec 03 2018 01:47 PM - last edited on ‎Jan 14 2022 05:21 PM by

‎Dec 03 2018 01:47 PM - last edited on ‎Jan 14 2022 05:21 PM by

Can we use Azure AD for SSO to SaaS applications if we already use ADFS for SSO to Azure/O365?

Some background: our organization uses ADFS for SSO to Office 365. Naturally, we sync our AD to Azure AD to make that happen, but we do not sync passwords or anything like that. We're stuck using ADFS for Dynamics on-premises.

 

When configuring third-party SaaS applications (ex. Adobe, Zoom, etc.), I see they have options to configure SSO with Azure AD (enterprise application gallery) or to configure SSO with ADFS.

 

My questions are:

  1. Is it possible to configure these SaaS applications for SSO with Azure AD? (Would Azure AD just turn around and authentication to ADFS?)
  2. If so, what are the potential pros/cons for such a configuration?

 

My thoughts are, if we move away from ADFS in the future, it would be easier to already have those applications in Azure AD. They can also take advantage of MFA, Conditional Access, etc. On the other hand, if users will see multiple login prompts, that's not ideal.

10.7K Views
0 Likes
6 Replies
Reply
6 Replies
Rishabh Srivastava

‎Dec 03 2018 11:12 PM

‎Dec 03 2018 11:12 PM

Re: Can we use Azure AD for SSO to SaaS applications if we already use ADFS for SSO to Azure/O365?

Hello Andrew,

Azure AD will process the authentication always by checking the domain suffix.

When a user tries to sign in to https://portal.azure.com , https://portal.office.com or https://myapps.microsoft.com

Users are re-directed to login.microsoftonline.com, now the moment user will type UPN, Home realm discovery happens, and the user gets redirected to specific ADFS servers.

Now, in your scenario Azure AD either needs a TOKEN from any IDP which will be in your case – ADFS,

If you have specific requirement of ADFS, to keep authentication on prem, I would suggest to enable passthrough authentication.

Otherwise you can also implement password sync sign on for azure AD.

https://www.youtube.com/watch?v=kRPExiS4EwI&t=6s

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

Regards,
Rishabh

1 Like
Reply
Andrew Colombino

‎Dec 04 2018 05:19 AM

‎Dec 04 2018 05:19 AM

Re: Can we use Azure AD for SSO to SaaS applications if we already use ADFS for SSO to Azure/O365?

Thanks Rishabh, I'll take a look. What benefit does pass-through authentication provide that makes it different from ADFS?

 

Will it help the situation with these third-party SaaS apps?

0 Likes
Reply
best response confirmed by Andrew Colombino (Brass Contributor)
Steven Collier

‎Dec 04 2018 11:44 AM

‎Dec 04 2018 11:44 AM

Solution

Re: Can we use Azure AD for SSO to SaaS applications if we already use ADFS for SSO to Azure/O365?

@Andrew Colombino generally most apps that support federation with ADFS would also support federation with AzureAD. In your case AzureAD would pass the authentication events down to your federated AzureAD providing the same login experience as you get with Office 365 etc.

 

I agree with your point about better preparing yourself to go without ADFS in the future. These days new clients use simpler tools like Password Hash Sync or Pass Through Authentication, it's easier to provide a highly reliable service and authentication is typically the most important service.

 

You would also be allowing these apps to use the more sophisticated security controls available as part of AzureAD. Condition Access, Multi-Factor Authentication, Identity Protection, MCAS etc.

3 Likes
Reply
Andrew Colombino

‎Dec 04 2018 12:57 PM

‎Dec 04 2018 12:57 PM

Re: Can we use Azure AD for SSO to SaaS applications if we already use ADFS for SSO to Azure/O365?

Thanks, @Steven Collier. It sounds like that's the way we want to go.

0 Likes
Reply
Rishabh Srivastava

‎Dec 05 2018 04:57 AM

‎Dec 05 2018 04:57 AM

Re: Can we use Azure AD for SSO to SaaS applications if we already use ADFS for SSO to Azure/O365?

With pass through authentication you don't have to setup ADFS for Azure AD or O365.

Instead connectors are installed on AzureAAD connect server as well as on other servers, for load balancing. 

 

Benefits :-

You don't have to manage those configurations that are related to ADFS. 

As per your requirement password hash of the user objects are also not synced to Azure AD. 

Password remains on-prem and the authentication will work seamlessly. 

This setup will cater 3rd party applications that you have added in Azure AD. 

As all these third party application will be relying on Azure AD for user identities.

 

Regards,

Rishabh 

 

1 Like
Reply
zazh

‎Mar 12 2019 04:06 AM - edited ‎Mar 12 2019 04:09 AM

‎Mar 12 2019 04:06 AM - edited ‎Mar 12 2019 04:09 AM

Re: Can we use Azure AD for SSO to SaaS applications if we already use ADFS for SSO to Azure/O365?

Keep your SSO with your ADFS, and configure the connection from Azure AD's saml2 should Work fine.

No need to change your on prem / azure sso away from ADFS if it Works for you and you have to use the ADFS anyway.

 

Also with PTA or Password Hash and Seamless SSO you wont be able to get simple stuff like password expire notification to your users if you have some that is cloud only (federeted ID but not using on prem services).

You could enable Password hash sync so that you would be able to use leaked password detection in Identity Protection service, or as a backup if ever your ADFS went dead.

 

If you requre an on-prem ADFS setup for something else, by all means use it to SSO to Azure also.

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Andrew Colombino (Brass Contributor)
Steven Collier

‎Dec 04 2018 11:44 AM

‎Dec 04 2018 11:44 AM

Solution

Re: Can we use Azure AD for SSO to SaaS applications if we already use ADFS for SSO to Azure/O365?

@Andrew Colombino generally most apps that support federation with ADFS would also support federation with AzureAD. In your case AzureAD would pass the authentication events down to your federated AzureAD providing the same login experience as you get with Office 365 etc.

 

I agree with your point about better preparing yourself to go without ADFS in the future. These days new clients use simpler tools like Password Hash Sync or Pass Through Authentication, it's easier to provide a highly reliable service and authentication is typically the most important service.

 

You would also be allowing these apps to use the more sophisticated security controls available as part of AzureAD. Condition Access, Multi-Factor Authentication, Identity Protection, MCAS etc.

View solution in original post

3 Likes
Reply