Home

Ping Access with Azure AD

Highlighted
Occasional Contributor

Hi All,

 

I am using OpenIdConnect for authentication and authorization with Azure AD in my application.
The application is deployed on Azure VM accessible through VPN and to make it available for users outside VPN we got suggestion to use Ping Access with Azure AD. I have few queries if we go with ping access:
Questions:
1. When i will hit domain name say abc.com how it will reach to ping access ? Currently on hitting abc.com it resolves to server IP on which application is deployed.
2. I have gone through some articles and concluded that there will be two urls for the application one for users on VPN and other for non VPN users, is that correct ?
3. Do i need to change OpenIdConnect connect code in my application ?

 

Thanks & Regards,

Tayyab Suhail

6 Replies
Highlighted

I don't think PingAccess is necessary here. Publishing this with the App Proxy should be sufficient. As long as the internal URL is routable, you can use the same URL internally and externally. 

Highlighted
@Tayyab Suhail Let's make it clear, OpenID Connect is authentication layer of the OAuth 2.0., i.e. authorization is being managed through Azure AD OAuth. In order to enable VPN-less access to your application you don't need Ping as Azure AD and Azure Application Proxy allow vpn-less access to any application whether those apps are hosted on premises or in the cloud. Here is step by step instruction how to do that for on-prem application: https://www.youtube.com/watch?v=_2kWq5H4NhY
Highlighted

Hi Brian,

 

Thanks for your reply. Yeah, i agree with you that we can achieve vpn-less access with application proxy but this is client decision to use Ping Access for this purpose. I will do some more R&D on application proxy and present Client possible ways to achieve without Ping Access.

Hi Alexey,

 

Thanks for your response and sharing you tube link. Yes, our authorization server is Azure AD and we are using OpenIdConnect for authentication. I do agree with you that we can achieve vpn-less access without Ping Access but this is our client's organization process of achieving it through Ping Access. I am planning to present possible solutions without ping access to client but in case they still use ping access then i will have to change implementation of my application because currently my application authorization server is Azure AD and we are using OAuth Authorization code grant flow and using OpenIDConnect for authentication. Once we receive the authorization code from Azure AD, we request for the access tokens from Azure AD for our different O365 applications (SharePoint, Graph etc.) registered in Azure AD.

After integration with Ping Access my understanding is that we will receive required tokens (authorization code & app tokens) from Ping federate for our different applications. Is my understanding correct?

Highlighted
If authorization point for your Apps/SaaS is Ping, and AAD is simply a federated IdP, then Ping is the one who supposed to issue access tokens to your clients
Highlighted
Thanks :)
Related Conversations
Global Azure Virtual 2020
Gregor Suttie in Azure on
0 Replies
Azure key vault export keys
AzureRanger in Azure on
0 Replies
Euro 2021 results app project
Diplomike in Access on
0 Replies
WVD Publish individual apps to sessions
Chris-424 in Windows Virtual Desktop on
0 Replies
Refreshing calculated controls
Storming in Access on
7 Replies