Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Ping Access with Azure AD

Copper Contributor

Hi All,

 

I am using OpenIdConnect for authentication and authorization with Azure AD in my application.
The application is deployed on Azure VM accessible through VPN and to make it available for users outside VPN we got suggestion to use Ping Access with Azure AD. I have few queries if we go with ping access:
Questions:
1. When i will hit domain name say abc.com how it will reach to ping access ? Currently on hitting abc.com it resolves to server IP on which application is deployed.
2. I have gone through some articles and concluded that there will be two urls for the application one for users on VPN and other for non VPN users, is that correct ?
3. Do i need to change OpenIdConnect connect code in my application ?

 

Thanks & Regards,

Tayyab Suhail

6 Replies

I don't think PingAccess is necessary here. Publishing this with the App Proxy should be sufficient. As long as the internal URL is routable, you can use the same URL internally and externally. 

@Tayyab Suhail Let's make it clear, OpenID Connect is authentication layer of the OAuth 2.0., i.e. authorization is being managed through Azure AD OAuth. In order to enable VPN-less access to your application you don't need Ping as Azure AD and Azure Application Proxy allow vpn-less access to any application whether those apps are hosted on premises or in the cloud. Here is step by step instruction how to do that for on-prem application: https://www.youtube.com/watch?v=_2kWq5H4NhY

Hi Brian,

 

Thanks for your reply. Yeah, i agree with you that we can achieve vpn-less access with application proxy but this is client decision to use Ping Access for this purpose. I will do some more R&D on application proxy and present Client possible ways to achieve without Ping Access.

Hi Alexey,

 

Thanks for your response and sharing you tube link. Yes, our authorization server is Azure AD and we are using OpenIdConnect for authentication. I do agree with you that we can achieve vpn-less access without Ping Access but this is our client's organization process of achieving it through Ping Access. I am planning to present possible solutions without ping access to client but in case they still use ping access then i will have to change implementation of my application because currently my application authorization server is Azure AD and we are using OAuth Authorization code grant flow and using OpenIDConnect for authentication. Once we receive the authorization code from Azure AD, we request for the access tokens from Azure AD for our different O365 applications (SharePoint, Graph etc.) registered in Azure AD.

After integration with Ping Access my understanding is that we will receive required tokens (authorization code & app tokens) from Ping federate for our different applications. Is my understanding correct?

If authorization point for your Apps/SaaS is Ping, and AAD is simply a federated IdP, then Ping is the one who supposed to issue access tokens to your clients
Thanks :)