testing windows Azure AD


A likely “testing” site (probably a Microsoft front or some contractor firm behind which the public visibility is hidden) can be found at http://www.workaad.com/Miscellaneous/AdminConsentRequest.aspx. Whatever it is, its well done – and very very up-to-date.

image

image

The first workflow enables us, as administrator of the custom domain version of our Azure AD tenant, to consent to granting the webapp at this site access privileges.  Lets guess that the app  that publishes such a URI, bearing its unique “client ID” has to already have a working registration as an application (in some other Azure AD tenant), and is seeking the status of having a ServicePrincipal (ServiceProvider – SP in SAML speak…) record added to the Azure AD tenant associated with the IDP to be determined from the websso and consent process to be performed by the administrator-grade user :

image

Back on the active webapp site (the new SP … in the IDP=netmagic.onmicrosoft.com with the noted tenantID value), we see the information its provisioning process is given ..to create IDP-pointing records:

image

image

Note how the SP webapp, during relationship provisioning, gets a summary of its SP record as now recorded in the user’s IDP. This data probably comes from the original application record held about this webapp site in its primary azure AD tenant, now shared with the secondary “new relationship” IDP.

I find it a little disconcerting that this “partner” now knows about other verified domains of the IDP of the user (netmagic.onmicrosoft.com). We see from the wire trace that the protocol does NOT deliver such information:

image

Evidently, given the  tenantID of the IDP the webapp can lookup its own application record in its primary IDP – to learn about the new IDP from the new IDP-pointing record. We also see an email sent to the user granting the consent

image

In the azure console for the Azure AD of the new IDP bearing the  new SP-pointing record we now see

image

 

Note how locked up is the console for this “type” of application registration. By definition, I suppose, it’s a multi-tenant app – and it exposes its API.

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in Azure AD. Bookmark the permalink.