SOLVED

Using ADFS and Azure AD Guests to authenticate external guests for internal SAML apps?

%3CLINGO-SUB%20id%3D%22lingo-sub-296805%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20ADFS%20and%20Azure%20AD%20Guests%20to%20authenticate%20external%20guests%20for%20internal%20SAML%20apps%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-296805%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Rishabh%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20for%20the%20video.%20I%20could%20setup%20the%20claims%20provider%20with%20this.%3C%2FP%3E%3CP%3EI%20have%20one%20issue%20left.%20The%20guest%20user%20account%20from%20the%20azure%20ad%20get%20some%20weird%20Name%20ID%20Claim%20from%20Azure%20AD.%20I%20hoped%20I%20get%20some%20UPN%20or%20the%20logon%20name%20as%20the%20Name%20ID.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20NameID%20I%20get%3C%2FP%3E%3CP%3E%3CNAMEID%20format%3D%22%26quot%3Burn%3Aoasis%3Anames%3Atc%3ASAML%3A1.1%3Anameid-format%3Aunspecified%26quot%3B%22%3EQx7A-cgVG3o-D7qWLKKSjlrjijskdfjlKJSLKJJSLKJFw%3C%2FNAMEID%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20go%20around%20the%20issue%20by%20transforming%20the%20Email%20Claim%20as%20the%20Name%20ID%20for%20the%20target%20application.%20But%20I%20like%20to%20understand%20what%20AzureAD%20sends%3F%20I%20used%20the%20Get-AzureADUser%20but%20it%20isn't%20the%20ObjectId%20or%20any%20other%20Attribute%20I%20see%20on%20the%20User%20Account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ESven%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199732%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20ADFS%20and%20Azure%20AD%20Guests%20to%20authenticate%20external%20guests%20for%20internal%20SAML%20apps%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199732%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Sven%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20it%20is%20possible.%3C%2FP%3E%3CP%3EYou%20need%20to%20add%20Azure%20Active%20directory%20as%20a%20claim%20provider%20on%20ADFS%2C%20and%20ADFS%20as%20an%20application%20in%20AzureAD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheck%20this%20it%20might%20help%20%3A-%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DVIT6oL3Zhzg%26amp%3Bt%3D12s%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DVIT6oL3Zhzg%26amp%3Bt%3D12s%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERishabh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-194733%22%20slang%3D%22en-US%22%3EUsing%20ADFS%20and%20Azure%20AD%20Guests%20to%20authenticate%20external%20guests%20for%20internal%20SAML%20apps%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-194733%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20that%20it%20is%20possible%20to%20use%20Azure%20Application%20Proxy%20to%20do%20something%20like%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20if%20we%20have%20ADFS%20%2F%20WAP%20(2016)%2C%20can%20we%20do%20this%20too%3F%20And%20how%20is%20the%20process%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20we%20have%20to%20back%20sync%20the%20guest%20user%20accounts%20or%20is%20it%20the%20same%20as%20with%20the%20Azure%20App%20Proxy%20by%20using%20MIM%20or%20Powershell%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20we%20have%20to%20setup%20anything%20on%20the%20ADFS%20Server%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20is%20the%20experience%20for%20the%20end%20user%3F%20They%20get%20redirected%20from%20the%20webapp%20to%20the%20ADFS%20Login%2C%20then%20put%20in%20their%20UPN%2C%20but%20what%20is%20with%20the%20password%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-194733%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EB2B%20collaboration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
New Contributor

I know that it is possible to use Azure Application Proxy to do something like this.

 

But if we have ADFS / WAP (2016), can we do this too? And how is the process?

 

Do we have to back sync the guest user accounts or is it the same as with the Azure App Proxy by using MIM or Powershell?

 

Do we have to setup anything on the ADFS Server?

 

How is the experience for the end user? They get redirected from the webapp to the ADFS Login, then put in their UPN, but what is with the password?

2 Replies
Best Response confirmed by Sven Bürger (New Contributor)
Solution

Hello Sven,

 

Yes it is possible.

You need to add Azure Active directory as a claim provider on ADFS, and ADFS as an application in AzureAD.

 

Check this it might help :- 

https://www.youtube.com/watch?v=VIT6oL3Zhzg&t=12s

 

Regards,

Rishabh

Hello All, This video will help you adding azure ad as a claim provider to your ADFS, ,which will enable the guests users to sign in to the internal applicat...
Highlighted

Hi Rishabh,

 

thanks for the video. I could setup the claims provider with this.

I have one issue left. The guest user account from the azure ad get some weird Name ID Claim from Azure AD. I hoped I get some UPN or the logon name as the Name ID.

 

This is the NameID I get

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Qx7A-cgVG3o-D7qWLKKSjlrjijskdfjlKJSLKJJSLKJFw</NameID>

 

I can go around the issue by transforming the Email Claim as the Name ID for the target application. But I like to understand what AzureAD sends? I used the Get-AzureADUser but it isn't the ObjectId or any other Attribute I see on the User Account.

 

Regards,

Sven