Azure AD B2B collaboration direct federation with SAML and WS-Fed providers now in public preview

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Azure Active Directory Identity Blog articles.

Howdy folks,

 

We’ve been making it easier to work with your partners by enabling you to collaborate with them using their existing identities, regardless of whether they use Azure AD or not. We already support Google social IDs as well as any email account. As a next major step in this direction, I’m excited to announce that we have a new capability—direct federation—now in public preview!

 

Direct federation makes it easier for you to work with partners whose IT managed identity solution is not Azure AD. It works with identity systems that support the SAML or WS-Fed standards. When you set up a direct federation relationship with a partner, any new guest user you invite from that domain can collaborate with you using their existing organizational account. This makes the user experience for your guests more seamless.

 

With direct federation, your guest users sign in with their organizational account, satisfying any security requirements that your partner organization has already implemented. Any additional security controls you implement for guest users, such as stronger proof of ownership for Multi-Factor Authentication (MFA), also applies to these users. When your guest leaves their organization, they no longer have access to resources.

 

 

Direct federation 1.pngFigure 1. User authentication journey using direct federation.

 

Let’s walk through what happens when a user signs in with direct federation:

  1. The direct federation user clicks a link to an application or resource you have shared with them.
  2. Azure AD checks to see if the user has been invited. 
  3. The user is re-directed to their identity provider for sign-in. 
  4. After successful sign-in, the user is returned to Azure AD. 
  5. Azure AD validates the token then sends the user to app for access. (Figure 1)  

Watch this video to learn more about how direct federation works and other identities we support.

 

Direct federation 2 v2.PNGFigure 2. Setting up direct federation in Azure AD—Organizational relationships.

To try direct federation in the Azure portal,  go to Azure Active Directory > Organizational relationships - Identity providers, where you can populate your partner’s identity provider metadata details by uploading a file or entering the details manually. (Figures 2 and 3) During public preview, we only support direct federation with an identity provider whose authentication URL matches the target domain for direct federation or belongs to a standard identity provider.

 

Direct federation 3.pngFigure 3. Populating direct federation metadata in Azure AD.

Go ahead and dive into the documentation to try out direct federation and learn more! Let us know what you think by taking our brief survey.

 

And as always, connect with us for any discussion or send us your feedback and suggestions. You know we’re listening! 

 

Best regards,

 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.