Single Tenant Authentication Using Azure AD in ASP.Net

So now it will be easy for you to create an ASP.Net application and implement Single-Tenant Authentication using Azure AD.

Why to use Azure AD

Azure AD provides enormous capabilities using its various offerings.

It improves an organization's applications security by implementing multifactor authentication and conditional access.

It empowers an organization's users to be more productive and happy by providing an easy and controlled access to apps and services and self-service capabilities.

Azure provides a way in which you can authenticate access to your organizations owned applications using Azure AD.

You can use the following two types of authentication depending upon your requirements.

  1. Single-Tenant Authentication
  2. Multi-Tenant Authentication

Basically let's start from what we mean by a Tenant in Azure AD.

A tenant is a group or organization that owns an instance of cloud service. In short tenant is simply an instance of Azure Active Directory when it signs up for a cloud service such as Azure
Or Office 365.

Single-Tenant Authentication in Azure AD

Single-Tenant Authentication refers to a group of users belonging to an organization and having access to certain applications that belong to an organization.

In short, only the users of a respective organization are able to access the application of that organization.

Multi-Tennant Authentication in Azure AD

Multi-Tenant Authentication refers to a group of users belonging to multiple organizations and having access to the application of their organization as well as accessing the applications of other organizations.

This article introduces Single-Tenant Authentication and shows how to use it with a sample application. We will focus on Multi-Tenant Authentication in the next article.

Pre-Requisites: You need to have the following software installed before proceeding.

  1. Visual Studio 2013

    If you don't have Visual Studio 2013 installed on your computer, you can download it from this URL.

  2. Windows Azure Subscription

    You can also subscribe for a free trial of Windows Azure from URL.

The following  is the procedure for configuring Azure Active Directory:

  1. Log into the Azure portal.

  2. You can log into the Azure Portal using URL.

  3. Click on New then go to App Services -> Active Directory -> Directory -> Custom Create.

    Custom Create

  4. Enter all the necessary information and click Next.

    For example in the following screenshot I have entered.

    Name (Name refers to Active Directory name): pushkaractivead

    DomainName: pushkaractivead

    add directory

    In the preceding screenshot the domain name is pushkaractivead.onmicrosoft.com.

    Here I am using the default Office 365 domain (onmicrosoft.com) since I don't have any custom domain of my own.

  5. Your active directory is created as shown below:

    pushkaractivead

  6. Go to the Users tab.

    Users tab

  7. Click on the Add user button and a window will appear.

    Add user button

  8. Enter the username of your choice and click Next.

  9. You are navigated to the user profile screen. Enter the necessary information then click Next.

    user profile

  10. After you click on "Next" a temporary password generation screen is shown.

    create

  11. Click the Create button to get a temporary password and copy it into Notepad since it may be needed further, also you need to change the temporary password in the future.

  12. You will see the temporary password screen and click on "Next".

    temporary password

  13. So now your user is created in the active directory you created.

    active directory

Create a simple ASP.Net application since we will be implementing a single sign on that uses Azure AD using the .Net app.

We will be using Visual Studio since it has many embedded features that will be useful for us when implementing single sign-on.

  1. Open Visual Studio.

  2. Go to File -> New -> Project  and the following screen will appear.

    web application

    Select ASP.Net application then enter the name of the app and click OK.

  3. After clicking OK, select MVC application as a new template and click on the change authentication button.

    Change Authentication

  4. After you click on the Change Authentication button a screen will appear as in the following:

    Change Authentication button

    Enter the domain name, you can find it in the Azure portal. In the preceding point 5 when we created the user "myuser" the username was "myuser@pushkaractivead.onmicrosoft.com".

    So in this case pushkaractivead.onmicrosoft.com is my domain name, in your case it might be different.

  5. After you click OK a new screen will appear where you need to enter your username (the user we created in our Azure active directory in Step 9) and the temporary password generated in Step 12. You also need to enter a new password.

    visual studio

Once you enter all the information, click on the "Update password and sign in" button.

Note: The user information we are entering in the preceding screen will not allow us to create a project with a single sign-on since the user needs to be of Global Admin Role.

If you want to create a new project with single sign-on enabled then you need to have a user with global admin rights.

For example, I have a user named "Pushkar Dudhal" in the active directory "pushkaractivead" that we have created above and he has been assigned the Organizational Role "Global Admin".

Please see the following screen shot for more details:

Pushkar Dudhal

Now once your project is created in Visual Studio , you need to register the application in the Azure active directory.

Go to the Application Tab in the Azure Directory Screen as shown in the following screen shot.

Azure Directory

Click on the Add button at the bottom, a window will be displayed.

Click on Add button

Click on "Add an application my organization is developing". After this enter the name of the application you want to register with Azure AD as shown below and click "Next".

Add an application my organization is developing

After you click on "Next" you will be navigated to the next screen, "App Properties".

App Properties

In this screen you need to enter "SIGN-ON URL" and "APP ID URI".

  1. Here "SIGN-ON-URL" is the name of the URL you will be navigated to once you have signed on successfully. In short it would be the URL of your application.

    Note: In my case I have specified the "SIGN-ON URL" as "http://localhost" because I will run it locally first, later I will replace it with my application URL that I will be hosting in the cloud.

  2. Here the "APP ID URI" is basically in the format http://{name of the domain}/{name of your app}.

    Click "Next" once you have entered all the information.

  3. Go to the Configure tab on the application that we have registered in the earlier procedure and you will land on the page similar to the following:

    configure tab

Now scroll down on the same screen and look for client id, copy that client id into Notepad.

In the keys section select the key duration as 1 year.

In the permissions to other applications section select Application Permission as "Read Directory Data".

Now click on the Save button to save the settings that we have done.

A key will be generated after saving, please copy the generated key into Notepad as shown below:

add application

Now return to your project in Visual Studio and open the web.config file. Replace the clientid value and password value with the values we copied into Notepad in the earlier procedure.

web config

Now open the LoginPartial.cshtml file. Replace the entire contents with the following contents:

  1. @{  
  2.     var user = "Null User";  
  3.     if (!String.IsNullOrEmpty(User.Identity.Name))  
  4.     {  
  5.         user = User.Identity.Name;  
  6.     }  
  7.   
  8. }  
  9.   
  10. @if (Request.IsAuthenticated)  
  11. {  
  12.     <text>  
  13.         <ul class="nav navbar-nav navbar-right">  
  14.             <li>  
  15.                 @*@Html.ActionLink(User.Identity.Name, "UserProfile""Home", routeValues: null, htmlAttributes: null)*@  
  16.                 @Html.ActionLink(user, "UserProfile""Home", routeValues: null, htmlAttributes: null)  
  17.             </li>  
  18.             <li>  
  19.                 @Html.ActionLink("Sign out""SignOut""Account")  
  20.             </li>  
  21.         </ul>  
  22.     </text>  
  23. }  
  24. else  
  25. {  
  26.     <ul class="nav navbar-nav navbar-right">  
  27.         <li>@Html.ActionLink("Sign in""Index""Home", routeValues: null, htmlAttributes: new { id = "loginLink" })</li>  
  28.     </ul>  
  29. }  
How to Test Single-Tenant Authentication

To test Single-Tenant Authentication we will create an application similar to the one we created in the preceding procedure.

Now let's publish both of the apps to the cloud as an Azure Website.

For publishing to the cloud please refer to the following procedure.

 

  1. Right-click on the project and click Publish.

    click publish

  2. A window will appear, select "Microsoft Azure Web Apps" as the publish target. Another window will appear as shown below:

    Microsoft Azure Web Apps

  3. Click on the Sign In button and enter your Azure Subscription credentials.

    Once it is done the New and Existing Web apps button and Dropdown are enabled.

  4. Click New and enter the name of the webapp, in my case I have the user "mysingletennantapp" as the name of the website. Then click OK.

  5. Now click "Next" and you will be navigated to the next screen as shown below.

    url

Be sure you append https to the destination URL. Click "Next".

setting

In the preceding figure there is a section for databases. They are Azure databases that you need to create before publishing as a website.

For creating a database in Azure refer to the following URL.

Now once your database is created go to the database you have created and click on the dashboard in the Azure Management Portal.

Click on Show connection strings and copy the ADO .Net connection string. Then copy and paste it into the TenantDbContext TextBox.

Then click "Next".

publish

That's it, you are ready to go, your website is published.

Similarly, you can publish the other application also.

The following is how to test Single-Tenant Authentication.

Now we have 2 websites.

For example:

  1. https://mysingletennantapp1.azurewebsites.net/
  2. https://singletennantapp2.azurewebsites.net/

Now open the first website in the browser and sign on with the user we have created when creating the Azure active directory. Once you log into the first app, click the new tab in the same browser and enter the URL of the second application, you should be able to automatically navigate to the second app without logging into it, as shown in the following figure.

my single tennant app 1

my single tennant app 2

As shown in the preceding figures you can see I have hosted 2 apps in the cloud as Azure websites and I have opened both of the apps in the same browser and both are logged in with the same user.

Summary

In the preceding article I have shown how to use Single-Tenant Authentication using Azure AD.

In the next article I will show what Multi-Tenant Authentication is and how to implement Multi-Tenant Authentication using ASP.NET.