Steph O'Brien 5Reputation points
Hi there
Total noob to Azure AD, so apologies in advance for such a fundamental question.
I have a web application I want to add Azure AD support to, but I am not sure which method I should use. Other software within the industry seems to use SAML to connect, but reading the docs it says for a new application I should look at OAuth or OpenID.
I spoke to one of my client using the software and they recommended SCIM.
Are there use cases/limitations on each?
Thanks in advance!
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,436 questions
Sign in to follow
0 commentsNo comments
1{count} vote
Sign in to comment
3 answers
Sort by: Most helpful
-
Danny Zollner 9,501Reputation points • Microsoft Employee
2023-02-23T20:04:36.02+00:00 SAML and OIDC are for authentication (i.e.: is this user who they say they are). OAuth is an authorization standard - i.e. "What resources does this user/other entity have access to". SCIM is a standard for provisioning of identity data (users, groups/members, etc) across systems.
Between SAML and OIDC, OIDC is more modern, SAML is more widely adopted thanks to being around longer. You can potentially implement either or both of those to cover the initial user authentication/sign-in experience between an identity provider (IDP) and your app. If you adopt OIDC, you'll also want to implement OAuth 2.0.
Whether SCIM is needed to enrich the quality of user/identity data present in your app is a separate question.
EnterpriseArchitect 4,721Reputation points
2023-05-17T06:43:39.4166667+00:00 @Danny Zollner,
Can we say that if the Enterprise Application is already configured by SCIM provisioning, then there is no need to configure an additional SAML setting?
Sign in to comment
-
David Broggy 5,681Reputation points • MVP
2023-02-23T15:07:46.8033333+00:00 Hi Steph,
Is this a corporate app or a public facing app?
If it's corporate then likely SAML is the way to go.
The advantage of SAML may be that if your users are already authenticating with Azure AD, they should not have to authenticate again with your app.
If this is a public facing app and your users don't use Azure AD to authenticate then SAML may provide less advantages.
Also consider future requirements as some things may only support oauth2 over saml.
0 commentsNo comments
Sign in to comment
-
Sandeep G-MSFT 14,326Reputation points • Microsoft Employee
2023-02-27T03:56:42.8433333+00:00 You can use any protocol to integrate your application with Azure AD.
First you need to check and confirm as to what authentication protocols does your web application supports.
OpenID, SAML and Oauth are the authentication protocols that Azure AD supports.
OpenID and SAML are both authentication and authorization protocols. Oauth is an authorization protocol.
Integrating your application with Azure AD with OpenID or SAML would handle both authentication and authorization.
You can refer to below article to get more information about authentication protocols supported by Azure AD,
https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-vs-authorization
How Open ID connect authentication works:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-oidc
SCIM is a provisioning service. Azure AD make use of SCIM to provision user, and group from Azure AD to integrated applications.
You cannot use SCIM for authentication.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/sync-scim
https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
EnterpriseArchitect 4,721Reputation points
2023-05-17T06:42:30.34+00:00 Hi @Sandeep G-MSFT & @Anonymous ,
In terms of certificate maintenance the SCIM-based security is easier to maintain since there is no need for the SAML settings and certificate to upload & update under the below setting:
Sign in to comment
Sign in to answer
