Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure AD Application Proxy header authentication

Copper Contributor

Hi, I'm planning on migrating authentication of our on premise (legacy) applications to AzureAD. My legacy applications all require (doesn't matter how it's named) a header field that holds the userPrincipalName of the user accessing the application to provide SSO. 

I already have a working POC setup where I'm using (my current) a reverse proxy that does SAML against Azure AD. That reverse proxy provides the backend webservers with the UPN and this works fine. 

 

I was exploring my options further and I found that Azure AD Application Proxy might allow me (in the future) to replace my current reverse proxy and gain some security (and ddos etc). A basic test of the proxy worked but I have some questions. 

 

As I would need the UPN (universalprincipalname) of the user access the application without authenticating a second time in the applications. I would need to use Header authentication as the single sing on option, this uses an external server, pingaccess. This means I would need to use an external app (that comes with external licensing) and that might not be supported my microsoft support themselves. So I fear that I would by trying to remove my on premise load balancer to remove a 3th party from my network, but I would be trusting one more (pingaccess), and I might need another party to support the setup.

Are my fears correct?

Do I even need this if I only need the UPN of the external user on my backend webserver?

 

And one more question. All of my backend servers are in DMZ's, the applications don't have a real internal URL as they are only meant to be used through an external URL. So I ended up adding an entry to the hosts file on the server hosting the application proxy so I could add an internal URL to the Azure AD application config (you are required to enter the backend server as https://hostname/. It would make much more sense to me to be able to access the backend webserver through an IP address as I now need to configure two systems to add a servers. Am I going about this the wrong way?

 

Thanks for any comments!

2 Replies
best response confirmed by JayBeeFinalBeta (Copper Contributor)
Solution
Good news for you - Azure AD Proxy will have a preview of header based authentication this summer, see this tweet by Alex Simons: https://twitter.com/Alex_A_Simons/status/1261414747909402624
I suggest you follow him on Twitter as he is likely to post about it there first.

@Joe Stocker , thank you for that link. That's great!

1 best response

Accepted Solutions
best response confirmed by JayBeeFinalBeta (Copper Contributor)
Solution
Good news for you - Azure AD Proxy will have a preview of header based authentication this summer, see this tweet by Alex Simons: https://twitter.com/Alex_A_Simons/status/1261414747909402624
I suggest you follow him on Twitter as he is likely to post about it there first.

View solution in original post