Azure B2B Collaboration using a 3rd party SAML 2.0

Keys pointers for setting up Azure B2B with a third party SAML 2.0 identity provider

High Level Architecture:

Below diagram shows the use case that we are discussing in this article.

Sample use case # A service provider has sensitive data that can not go out of his environment. Customers are interested in accessing this data. A business partner builds a platform that can bring customers to his platform and from there these customers can access protected data via a secured & anonymous connectivity into the service provider environment.

Service Provider: Azure acts as a Service Provider(Relying party) to provide access to protected applications/data thats available within Azure.

Customers: Customers are interested in consuming the Azure services.

Partner: Business partner sets up SSO using a third party SAML 2.0 and acts as a business platform to connect customers with service provider securely. Partner onboards customers on his platform and relies on customers for verifying their employee identities as idp provider.
Partner also provides a new identity to customers that is mapped to a guest account in Azure AD. Customers access the protected apps/data using this guest account.

Below section has some key implementation pointer that are applicable to partner who is responsible for providing this configuration.

Implementation Details:

Following are some of the key configuration points of the solution that can be used to implement this use case. There could be other better solutions or use cases, but the intent here is to readily provide some guidance for anyone trying a similar approach.

Key points of this configuration:

1. SAML SSO with Customers IdP: This design expects that partner has already setup SAML SSO with individual customers. Partner maintains a 3rd party SAML solution in his platform for this integration. SAML for single sign-on (SSO) allows Users to authenticate through their company’s identity provider when they log in to partner apps.
2. Third Party SAML: Setup a third party SAML 2.0 provider as Idp by following this article. https://learn.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation#to-configure-federation-in-the-azure-portal.

Important: The domain used by SAML provider should NOT be added or present in Azure AD as a verified domain. This can be checked through custom domains in Azure AD blade. If this domain is present in Azure AD, your SAML configuration will not complete and throw errors like Invalid domain.

3. Guest User Account: Create a guest user account in Azure AD. A typical guest user account in AD looks like this example john.wick_federation.com#EXT#@myorg.onmicrosoft.com

Important: Why are we using guest account? This is because, in this use cases the actual identities are being managed by partner and authenticated by customers. guest account are local to Azure AD and thus can be used to provide access to protected data within Azure subscription.

For example, in this case, partner has an account i.e john.wick@federation.com and that is mapped( through SAML integration ) to the actual identity of john wick in his employers directory who is responsible for the authentication.

john.wick@federation.com — — → john.wick@continental.com

4. Guest User Invite Redemption: If you don’t wish to send guest user invitations to a user mailbox (or don’t have a mailbox i.e partner don’t need to maintain one), you can use the direct redemption link that is present in guest user account (Go to guest user account in Azure AD and click Resend Invitation)and let your end customers use this link to accept the invitation and allow access to azure apps.
Guest account provisioning can be automated through Azure functions within Azure env. This way you don’t need to share the sensitive AD credentials outside Azure subscription.

)

5. SAML Provider Configuration: Correctly configuring your third party SAML provider is important for login workflow to work correctly. After you have configured 3rd party SAML correctly on Azure subscription, download the Azure metadata from the following Url https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml and use the fields in this xml file to complete partner side SAML configuration.

How to test login workflow?

You can test the login workflow by clicking the invitation redemption link seen above in step 4. Upon clicking the link, it should redirect you to the partner app. After you provide the id john.wick@federation.com you will be prompted for authentication via username/password challenge. Here you need to provide the credentials for the user john.wick@continental.com and if the auth is successful, it should redirect you to the azure apps portal. This will change your invitation step from pending acceptance to active

Troubleshooting Resources:

Also, if you face any failures after the login workflow gets redirected to azure apps, please check this article to ensure your settings are correct. https://blog.jmips.co.uk/2020/07/microsoft-azure-active-directory-saml.html