Adding Users from one Azure Active Directory to access an application in another Azure Active Directory
Category: azure windowsazuread
TinuTO on Fri, 04 Jul 2014 11:37:00
Craig McMurtry on Fri, 04 Jul 2014 16:21:57
I'll get this answered for you.
Craig McMurtry on Fri, 04 Jul 2014 17:07:41
The user's userPrincipalName is directing the security token service to issue a token for that user from the user's "home" directory, and that directory has no service principal configured to issue tokens to the external application. Therefore, you are observing the outcome that you have reported. What is the business requirements that you wish to satisfy. We may be able to figure out how to address the scenario in a different way.
TinuTO on Sat, 05 Jul 2014 08:42:37
Thanks for the reply. We are trying to enable users from different active directories to be able to access our application via a single-sign-on page. This is just a first step, since in the subsequent steps we would also like to enable access to users from other windows azure active directories that do not belong to our account - like an Office365 user of another organisation. There is also an option to add users with an existing microsoft account, which we are interested in. I also tried that out, and although a Microsoft account user gets added, he/she faces the same above error during login.
Also, another approach or rather the only approach that I can think of is making the web application multi-tenant within our AD - http://msdn.microsoft.com/en-us/library/azure/dn151789.aspx & https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet
Can you also confirm if the above approach would work?
TinuTO on Sat, 05 Jul 2014 11:39:30
The above multi-tenant approach seems to have worked. The Web App Multi-tenant OpenId sample in the above link manages to achieve what I wanted. It uses OAuth2 to serve up a request to provision a web application within different tenants given the clientid of the web application and the consent by the user of the target tenant. So to summarize - my web application resides in AAD2. And the code in the sample helps me to programmatically provision the web application as an application in the tenant in AAD1. So users with AAD1 can directly access the web application by giving a consent to do the same. Not only this, but the code also helps me to enable access to users of any other windows azure active directory which is not a part of my subscription to login to the web application. So it all works! Anyways, thanks Craig for the help!