So you have heard that SAML 2.0 is a lot more expensive than OpenID Connect when using Microsoft Azure AD as identity provider? OpenID Connect is an authentication protocol built upon the authorization framework OAuth 2.0. The JSON structure of OpenID Connect is more efficient than the XML format used by SAML 2.0 and consumes less bandwidth. Here's the guide to get you started.
Prerequisites
First of all you need to register your Sitevision web site as an "app" in Microsoft Azure. Head over to https://portal.azure.com and login with your admin credentials.
Choose your friendly name wisely. This name will be presented to the user when the app ask for permission to login as the user
Now that your app has been registered you need to customize it and collect some data. Remember to save your settings as we go along.
Next, go to "Authentication"
Go on and click "Certificates & secrets"
If you choose to select any other expire time than "Never", make sure to set a calendar event to remind you to renew the secret before it expires. Maybe 10-20 colleagues need to set a reminder as well? Ask yourself what happens if none of your users can login because of an expired secret.
The secret will only be viewable until you leave the page. Copy the client secret before leaving the page. If you missed this step, just generate another secret and remove the previous one.
All the basic settings in Microsoft Azure are done.
There's a few advanced settings that might be interesting.
Just as in SAML2 it's possible to include group claims in the token during login. The group claims can be used to assign the user to a virtual group in Sitevision. The group claims are not included as default but can be easily added.
Click "Manifest" to view a JSON document defining the configuration of the app.
Change the value groupMembershipClaims from null to "SecurityGroup" or "All". See groupMembershipClaims in Azure Active Directory app manifest
Some usable claims are omitted as default in the id token. family_name & given_name are nice-to-have claims.
Add a idToken definition to the manifest:
...
"optionalClaims": {
"idToken": [
{
"name": "family_name",
"essential": false
},
{
"name": "given_name",
"essential": false
},
{
"name": "nickname",
"essential": false
}
]
},
...
Add an OpenID Connect authentication filter to your web site.
Add the following properties:
Add an OpenID Connect login module to your web site.
No further settings is needed. Now it's time to visit your web site.
When visiting a page that is not public, the user is redirected to Microsoft Azure. The user is asked to login, if not logged in already. The user is presented with a consent screen at the very first login. Permissions is requested for the app with the name as specified earlier. Example: The Bulletin.
After consenting, the user is redirected back to Sitevision.
Everything is done, enjoy the single sign on experience!
Do you want to subscribe to News from Sitevision Developer team? Subscribe here!