SOLVED

Azure AD Application Proxy header authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-1306894%22%20slang%3D%22en-US%22%3EAzure%20AD%20Application%20Proxy%20header%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306894%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I'm%20planning%20on%20migrating%20authentication%20of%20our%20on%20premise%20(legacy)%20applications%20to%20AzureAD.%20My%20legacy%20applications%20all%20require%20(doesn't%20matter%20how%20it's%20named)%20a%20header%20field%20that%20holds%20the%26nbsp%3BuserPrincipalName%26nbsp%3Bof%20the%20user%20accessing%20the%20application%20to%20provide%20SSO.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20already%20have%20a%20working%20POC%20setup%20where%20I'm%20using%20(my%20current)%20a%20reverse%20proxy%20that%20does%20SAML%20against%20Azure%20AD.%20That%20reverse%20proxy%20provides%20the%20backend%20webservers%20with%20the%20UPN%20and%20this%20works%20fine.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20exploring%20my%20options%20further%20and%20I%20found%20that%20Azure%20AD%20Application%20Proxy%20might%20allow%20me%20(in%20the%20future)%20to%20replace%20my%20current%20reverse%20proxy%20and%20gain%20some%20security%20(and%20ddos%20etc).%20A%20basic%20test%20of%20the%20proxy%20worked%20but%20I%20have%20some%20questions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20I%20would%20need%20the%20UPN%20(universalprincipalname)%20of%20the%20user%20access%20the%20application%20without%20authenticating%20a%20second%20time%20in%20the%20applications.%20I%20would%20need%20to%20use%20Header%20authentication%20as%20the%20single%20sing%20on%20option%2C%20this%20uses%20an%20external%20server%2C%20pingaccess.%20This%20means%20I%20would%20need%20to%20use%20an%20external%20app%20(that%20comes%20with%20external%20licensing)%20and%20that%20might%20not%20be%20supported%20my%20microsoft%20support%20themselves.%20So%20I%20fear%20that%20I%20would%20by%20trying%20to%20remove%20my%20on%20premise%20load%20balancer%20to%20remove%20a%203th%20party%20from%20my%20network%2C%20but%20I%20would%20be%20trusting%20one%20more%20(pingaccess)%2C%20and%20I%20might%20need%20another%20party%20to%20support%20the%20setup.%3C%2FP%3E%3CP%3EAre%20my%20fears%20correct%3F%3C%2FP%3E%3CP%3EDo%20I%20even%20need%20this%20if%20I%20only%20need%20the%20UPN%20of%20the%20external%20user%20on%20my%20backend%20webserver%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20one%20more%20question.%20All%20of%20my%20backend%20servers%20are%20in%20DMZ's%2C%20the%20applications%20don't%20have%20a%20real%20internal%20URL%20as%20they%20are%20only%20meant%20to%20be%20used%20through%20an%20external%20URL.%20So%20I%20ended%20up%20adding%20an%20entry%20to%20the%20hosts%20file%20on%20the%20server%20hosting%20the%20application%20proxy%20so%20I%20could%20add%20an%20internal%20URL%20to%20the%20Azure%20AD%20application%20config%20(you%20are%20required%20to%20enter%20the%20backend%20server%20as%20https%3A%2F%2Fhostname%2F.%20It%20would%20make%20much%20more%20sense%20to%20me%20to%20be%20able%20to%20access%20the%20backend%20webserver%20through%20an%20IP%20address%20as%20I%20now%20need%20to%20configure%20two%20systems%20to%20add%20a%20servers.%20Am%20I%20going%20about%20this%20the%20wrong%20way%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20any%20comments!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1306894%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1396028%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Application%20Proxy%20header%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1396028%22%20slang%3D%22en-US%22%3EGood%20news%20for%20you%20-%20Azure%20AD%20Proxy%20will%20have%20a%20preview%20of%20header%20based%20authentication%20this%20summer%2C%20see%20this%20tweet%20by%20Alex%20Simons%3A%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%2Fstatus%2F1261414747909402624%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftwitter.com%2FAlex_A_Simons%2Fstatus%2F1261414747909402624%3C%2FA%3E%3CBR%20%2F%3EI%20suggest%20you%20follow%20him%20on%20Twitter%20as%20he%20is%20likely%20to%20post%20about%20it%20there%20first.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1397459%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Application%20Proxy%20header%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1397459%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5941%22%20target%3D%22_blank%22%3E%40Joe%20Stocker%3C%2FA%3E%26nbsp%3B%2C%20thank%20you%20for%20that%20link.%20That's%20great!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi, I'm planning on migrating authentication of our on premise (legacy) applications to AzureAD. My legacy applications all require (doesn't matter how it's named) a header field that holds the userPrincipalName of the user accessing the application to provide SSO. 

I already have a working POC setup where I'm using (my current) a reverse proxy that does SAML against Azure AD. That reverse proxy provides the backend webservers with the UPN and this works fine. 

 

I was exploring my options further and I found that Azure AD Application Proxy might allow me (in the future) to replace my current reverse proxy and gain some security (and ddos etc). A basic test of the proxy worked but I have some questions. 

 

As I would need the UPN (universalprincipalname) of the user access the application without authenticating a second time in the applications. I would need to use Header authentication as the single sing on option, this uses an external server, pingaccess. This means I would need to use an external app (that comes with external licensing) and that might not be supported my microsoft support themselves. So I fear that I would by trying to remove my on premise load balancer to remove a 3th party from my network, but I would be trusting one more (pingaccess), and I might need another party to support the setup.

Are my fears correct?

Do I even need this if I only need the UPN of the external user on my backend webserver?

 

And one more question. All of my backend servers are in DMZ's, the applications don't have a real internal URL as they are only meant to be used through an external URL. So I ended up adding an entry to the hosts file on the server hosting the application proxy so I could add an internal URL to the Azure AD application config (you are required to enter the backend server as https://hostname/. It would make much more sense to me to be able to access the backend webserver through an IP address as I now need to configure two systems to add a servers. Am I going about this the wrong way?

 

Thanks for any comments!

2 Replies
Highlighted
Solution
Good news for you - Azure AD Proxy will have a preview of header based authentication this summer, see this tweet by Alex Simons: https://twitter.com/Alex_A_Simons/status/1261414747909402624
I suggest you follow him on Twitter as he is likely to post about it there first.
Highlighted

@Joe Stocker , thank you for that link. That's great!