none
Accessing webapp from inside and outside the corporate perimeter

    Question

  • Hi!

    I'm looking for solutions that could best address the following requirements.

    - We plan to develop a webapp and deploy it in the cloud (not necessarily Azure).
    - Corporate users must be able to access the webapp from the enterprise network, where they're already connected to the corporate AD, with an SSO mechanism (e.g. SAML, OAuth/OpenID Connect, WS-Fed, etc.).
    - The same users can be on the road, and still be able to connect to the same webapp.
    - When they're on the road, though, SSO is not mandatory: they could connect with other login credentials (e.g. via the webapp's own userid/password management system, or through a third-party identity provider). If there are solutions where they still could use their AD credentials from the outside of the company, this should be of course considered.
    - If a user is de-provisioned from the AD, he must not be able to connect using the webapp's own login system or third-party identity provider. Same thing if its group memberships change: it must be taken into account in the webapp, whatever the login option used.

    I understand there are many possible solutions (VPN connection, using Azure AD, etc.), and I'd greatly appreciate any view on the subject to find those with the most acceptable combination of impacts on the present infrastructure, cost, user-friendliness, security, and availability.

    Thanks!

    -- Aleph

    Friday, April 7, 2017 8:14 PM

All replies

  • Hi Aleph,
    Based on your description, what comes into my mind is Active Directory Federation Services (AD FS).
    AD FS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions.
    If that makes sense to you, you could ask more details in the ADFS forum:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=ADFS 
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 10, 2017 9:05 AM
    Moderator
  • ADFS will best suit your requirement, you may refer below link for details:

    https://msdn.microsoft.com/en-us/library/bb897402.aspx


    Monday, April 10, 2017 11:44 AM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 14, 2017 9:33 AM
    Moderator