Azure AD Seamless SSO

 

 

 

 

Seamless SSO,一個曾經覺得好難好難嘅東東。但係經過呢兩三年前Configure Kerberos,同開始接觸SAML後得到嘅經驗。 Seamless SSO唔再係咁難以觸摸。

第一,都係要多謝我哋偉大嘅Microsoft。Azure AD係上年九月左右嘅Update。 Pass-Through Authentication。Microsoft 解釋Benefit係Authentication會返返OnPremises AD做,可以唔需要開Password Sync。

係另一方面,雖然已經有ADFS WAP,但係係DMZ嘅關係,係無join AD。所以Azure Pre-Authentication係用唔到。係另一方面,雖然已經有ADFS WAP,但係係DMZ嘅關係,係無join AD。所以Azure Pre-Authentication係用唔到。但係用Application Proxy Connector就無呢個限制。Application Proxy Connector可以安裝係任何一部Domain Joined Server。係呢個因素之下,Machine Account 行 Kerberos就絕對無難度。

步驟可以照跟Microsoft。謂獨有一個Step令我特別留意,因為同以往Configure KCD唔同。Common係Delegation – “Trust this computer for delegation to specified services only” 下面嘅Section係揀 “Kerberos only”,但係今次Config Application Proxy Delegation係用”Use Any Authentication Protocol”

  • Reconfirm that the connector host has been granted the rights to delegate to the designated target account’s SPN, and that Use any authentication protocol is selected. For more information about this topic, see SSO configuration article

https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-back-end-kerberos-constrained-delegation-how-to

以下兩條Youtube都介紹得嘅清楚,值得一睇

Reference

https://www.youtube.com/watch?v=PyeAC85Gm7w

https://www.youtube.com/watch?v=vt2R4P4xLQA

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-sso-using-kcd