Hybrid identity update: Pass-Through Authentication and Seamless Single Sign On

It is one of the main announcements from Ignite 2016, but now the functionalities are finally here: Pass-Through Authentication and Single Sign On. These features are added to latest Azure AD Connect release and are considered a huge game changer in the Hybrid Identity scenarios. In this post, I will elaborate on these two new features and I will also answer the question: Is ADFS a deprecated type of scenario for a hybrid identity setup?

Until now we had 3 common type of hybrid identity scenario’s:

  • Cloud only; in this scenario, the on-premises identities are not in sync with the ones existing in the cloud, which means the users were able to make use of the same username but not the same password.
  • Synchronized (Identity + Password sync); in a synchronized scenario, the identity and the password (hash) of the user’s account is synced to the Cloud IdP (Azure AD). This enables users to login to the Cloud applications using the same credentials like on-premises.
  • Federated (ADFS + identity sync); This is considered the real Single Sign On scenario. In this scenario, the user identities are synced to the Cloud IdP and a federation is setup using Active Directory Federation Services (ADFS). The authentication in this setup is being verified on-premises which also enables clients within the same Active Directory domain to leverage the Single Sign On experience.

Single Sign On is one of the main requirements I hear from customers. Until now, the federated scenario was the only option to meet this requirement and this always results in deploying a comprehensive environment, including ADFS and WAP servers.

The availability of Pass-Through authentication and Seamless Single Sign On definitely changes this.

Pass-Through authentication

Azure AD Pass-Through authentication provides a simple model for validating passwords against the on-premises Active Directory. This is achieved by installing a simple connector within the on-premises environment without the need of a complex network infrastructure. Exactly! This scenario does not require any ADFS server or the on-premises passwords to exist in the cloud.

So how does this scenario work? During the authentication challenge the password entered on the Azure AD login page down is passed down to the on-premises connector. The connector now validates the credentials to the on-premises Active Directory and returns a ticket. The ticket is send back to Azure AD, which evaluates and verifies the response. When the response is validated a Multi-Factor authentication step can be triggered.

This scenario also integrates with the Self-Service password reset process offered by Azure AD. When the user changes his password, the request is automatically directed to the on-premises Active Directory environment.

This option can be enabled very easily during the setup of Azure AD Connect.

Seamless SSO

Seamless SSO is another great feature which enables a Single Sign On scenario for on-premises clients, using the Pass-Through authentication or Synchronized (Password sync) model. Again, this scenario does not require any ADFS infrastructure which simplifies most Hybrid Identity scenarios.

So how does this scenario work? When you enable single sign on in Azure AD Connect, a computer account is created in the on-premises Active Directory and the Kerberos decryption key is shared with Azure AD. Furthermore, two Kerberos service principal names (SPNs) are created to represent the cloud authentication URLs.

  1. User tries to access a Cloud resource using a web browser on the client.
  2. The Azure AD resource challenges the client to provide a Kerberos ticket.
  3. The client requests a ticket from Active Directory for the Azure AD resource.
  4. Active Directory locates the machine account associated with the Azure AD resource and returns a Kerberos ticket to the client, encrypted with the machine account’s secret. The ticket includes the identity of the user currently signed in to the computer.
  5. The client sends the Kerberos ticket it acquired from Active Directory to the Azure AD.

Azure AD now decrypts the Kerberos ticket using the previously shared key, and then either returns a token to the user.

To enable this scenario, it needs be ensured that the clients are:

  • Domain joined.
  • Part of the internal network so a direct connection with the Active Directory DC’s can be established.
  • The Cloud authentication endpoints are added to the intranet zone using a GPO.

Setting up Seamless SSO can be achieved by enabling the Single Sign On option during the Azure AD Connect setup.

And filling in a domain account (for every forest) with the correct privileges to setup the SSO:

The final step in the configuration is to create a Group Policy which adds the Cloud authentication URLS to Intranet zone in the internet browser by default:

No more ADFS?

So, is the Federated scenario now deprecated because of this new released feature? The answer to this is: No. Some scenarios still require:

  • Smart Card Authentication;
  • Claim mapping;
  • 3rd party Identity Providers;
  • On-premises conditional access policies;

For all these types of technical features and requirements the Federated scenario including ADFS is still the only feasible model.

For more information check the official Microsoft blog post.

  • Sølve Fredheim

    Does seamless SSO also work for partner accounts (B2B scenario)?

    • JurgenvdBroek

      Seamless SSO is a hybrid functionality which enables on-premises users to login into Cloud services connected to Azure AD by having a SSO experience. B2B functionality is used to provide access to Cloud services connected to Azure AD for external users. In typical hybrid setup you wont sync these B2B accounts to you on-premises environment. What is your use case?

      • Sølve Fredheim

        The use case is that I have an application, registered in my Azure AD. I invite users to my application from a business partner’s Azure AD. If the business partner has configured Seamless SSO for their own employees, will the users from the business partner that I have invited as users in my application be prompted for their credentials when they try to access my application, or will they be able to open it without being prompted for username or password?

        • JurgenvdBroek

          The user of the business partner have to login using their IDP authentication method. This means it will use the business partner’s Azure AD and the related (hybrid) authentication scenario configured and in your case seamless SSO. The user will experience Single Sign On. Although it will trigger for an extra factor challenge when you have a MFA Conditional Access policy configured for the application.

          • Sølve Fredheim

            Thanks!