Apr 14 2020
12:07 PM
- last edited on
Jan 14 2022
04:32 PM
by
TechCommunityAP
Apr 14 2020
12:07 PM
- last edited on
Jan 14 2022
04:32 PM
by
TechCommunityAP
Hi, I'm planning on migrating authentication of our on premise (legacy) applications to AzureAD. My legacy applications all require (doesn't matter how it's named) a header field that holds the userPrincipalName of the user accessing the application to provide SSO.
I already have a working POC setup where I'm using (my current) a reverse proxy that does SAML against Azure AD. That reverse proxy provides the backend webservers with the UPN and this works fine.
I was exploring my options further and I found that Azure AD Application Proxy might allow me (in the future) to replace my current reverse proxy and gain some security (and ddos etc). A basic test of the proxy worked but I have some questions.
As I would need the UPN (universalprincipalname) of the user access the application without authenticating a second time in the applications. I would need to use Header authentication as the single sing on option, this uses an external server, pingaccess. This means I would need to use an external app (that comes with external licensing) and that might not be supported my microsoft support themselves. So I fear that I would by trying to remove my on premise load balancer to remove a 3th party from my network, but I would be trusting one more (pingaccess), and I might need another party to support the setup.
Are my fears correct?
Do I even need this if I only need the UPN of the external user on my backend webserver?
And one more question. All of my backend servers are in DMZ's, the applications don't have a real internal URL as they are only meant to be used through an external URL. So I ended up adding an entry to the hosts file on the server hosting the application proxy so I could add an internal URL to the Azure AD application config (you are required to enter the backend server as https://hostname/. It would make much more sense to me to be able to access the backend webserver through an IP address as I now need to configure two systems to add a servers. Am I going about this the wrong way?
Thanks for any comments!
May 16 2020 04:24 PM
SolutionMay 17 2020 10:29 AM
@Joe Stocker , thank you for that link. That's great!
May 16 2020 04:24 PM
Solution