Azure Active Directory Login

ORIGAM provides support for single-sign-on (SSO) with Azure Active Directory (AAD). This article describes how to enable sign on in ORIGAM. Correct set up of the AAD is not in scope of this article and the relevant information can be found here.

To enable SSO appsettings.json has to be adjusted. The adjustment depends whether the authentication is in single-tenant mode or in multi-tenant mode. Anyway in both cases when set up, the login screen should contain a button Sign in with Azure AD.

Single-tenant Authentication

Single tenant authentication authenticates against one and only tenant in Azure Active Directory. This is useful if your application will only be used by a single AD organization against which you want to authenticate the users. To use this authentication type add following section into IdentityServerConfig section:

"AzureAdLogin": {
    "ClientId": "client_id_guid",
    "TenantId": "tenant_id_guid"
}

Multi-tenant Authentication

Multi-tenant authentication can authenticate against multiple Azure Active Directory organizations. This is useful if your application will be used by users from different organizations. You will most probably need to implement your own user/organization assignment logic using AuthenticationPostProcessor entry. To use this authentication type add following section into IdentityServerConfig section:

"AzureAdLogin": {
    "ClientId": "client_id_guid",
    "TenantId": "common",
    "ClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
},
"AuthenticationPostProcessor": "namespace.AuthenticationPostProcessor,assembly"

ClaimType

Denotes a claim that contains a user name by which the user will be looked up in ORIGAM.

AuthenticationPostProcessor

AuthenticationPostProcessor is an optional parameter to specify authentication post processor. By default internal AlwaysValidAuthenticationPostProcessor is used. In case of multi-tenant environment it should be used as a validation whether user/tenant is matching to the information in ORIGAM. IAuthenticationPostProcessor is declared in Origam.Service.Core 1.1.0+ Nuget Package.