Microsoft announced on Tuesday that the Azure Active Directory (AD) Application Proxy service now works with applications that use the Security Assertion Markup Language (SAML) 2.0 for user authentications.
SAML is XML-based markup and an OASIS Consortium standard that’s used to pass user identity credentials between a service provider and an identity provider (such as Azure AD). It enables single sign-on (SSO), permitting end users to access various apps with a single log-in. SAML is said to “provide more control to enterprises to keep their SSO logins more secure” compared with the newer OAuth standard, according to a description by cybersecurity company Varonis.
The SAML capability in the Azure AD Application Proxy Service is now at the “general availability” release status, meaning that it’s deemed ready by Microsoft for use in production environments. It can be leveraged by organizations to provide end users with remote access to applications, including internal custom-built Web apps.
Alternative to VPNs
The Azure AD Application Proxy service enables SSO access to remotely housed applications, and is considered to be an alternative to using virtual private networks (VPNs) for controlling access to apps.
VPNs mask Internet Protocol addresses and can add encryption for remote connections, according to a description by security solutions company Norton. However, VPNs also get critiqued for leaking user traffic information and for not providing encryption, according to a description by software-defined perimeter company DH2i.
Microsoft describes Azure AD Application Proxy connections in its documentation. IT pros use the Azure Portal to configure the Azure AD Application Proxy service, which allows them to publish an external URL to Azure. This external URL connects with an “internal application server URL” for accessing applications within an organization. End users can then access these applications using a URL or the MyApps access panel on a desktop or mobile device, Microsoft’s documentation explained.
The Azure AD Application Proxy service also enables the use of additional security features for organizations, according to Microsoft’s documentation. It ensures that only pre-authenticated connections are permitted. It works with Microsoft’s Conditional Access service to impose conditions before allowing device access. Back-end servers are “not exposed to direct HTTP traffic” and are “better protected” against denial-of-service attacks. The Azure AD Application Proxy Service also works with the Microsoft Intune mobile management solution and can tap various Azure services, such as Azure AD Identity Protection.
“Connecting your on-premises applications to Azure AD Application Proxy benefits from all the work we’ve done in Azure AD to secure your applications with Identity Protection, Multi-Factor Authentication (MFA), and Conditional Access,” stated Alex Simons, corporate vice president of program management at the Microsoft Identity Division, in the announcement.
The SAML support in the Azure AD Application Proxy service had been one of the “biggest requests we received over the past several months,” he added.
Azure AD B2B and B2C Sign-In Previews
Earlier this month, Microsoft also announced support for SAML and WS-Fed at the preview level in the Azure AD B2B (Business to Business) service. The Azure AD B2B service, which lets organizations share resources with business partners, already had support for using e-mail accounts or Google sign-ins to provide network access. However, this SAML and WS-Fed preview lets organizations collaborate “using their existing identities, regardless of whether they use Azure AD or not,” Simons explained.
Microsoft is calling this Azure AD B2B capability using SAML or WS-Fed “direct federation.” It permits the guest’s organizational security requirements to be satisfied while also allowing the host organization to add their own security controls, the announcement explained. IT pros can set up direct federation for the Azure AD B2B service via the Azure Portal.
If that weren’t enough, Microsoft also described this week a preview of the “Sign In With Apple” policy in the Azure AD B2C (Business to Consumer) service. Sign In With Apple is supposed to be a more private alternative to using social media log-ins from companies like Google or Facebook as identity providers. Apple’s preview is limited, and it’s sort of a hack to get it to work with the Azure AD B2C service, but it’s apparently supported by Microsoft.