Starting off for the week with a bang, we've just turned on a new set of features in Azure AD that give companies a simple way to manage access to their social media accounts on services like Twitter and Facebook. We've done this using our password based single sign-on capabilities.
What is password based single sign-on?
Azure AD can support password-based single sign on for any app that has an HTML-based sign in page. By using a custom browser plugin or a custom browser app on iOS (and Android soon), we automate the user's sign in process via securely retrieving application credentials from the directory, and plugging them into the application's sign in page. These credentials can be provided by an administrator, or by the user upon first-time use. Credentials are only stored in an encrypted state in the directory, and are only passed over HTTPS to get users signed into applications.
Using this method, Azure AD offers a convenient identity access management solution for apps that are not capable of supporting federation protocols.
Introducing password based single sign-on for shared accounts
A very common request we get from customers is for support for scenarios where multiple people in their marketing and digital media teams login and manage a shared set of Twitter or Facebook accounts for the company. They need an easy way to let specific employees in these departments use a shared set of credentials. But they need to do it in a way that when an employee leaves the company, they can easily shutoff that specific employee's access to those shared accounts without forcing everyone else using them to learn a new password.
As of today, Azure AD now supports this exact scenario!
Here's how it works:
- Sign into the Azure management portal
- Under the Active Directory section, select your directory, then select the Applications tab.
- To add apps that support password SSO from the Azure AD app gallery, click the Add button and use the gallery option to select your app. Otherwise, select application you want to assign password SSO credentials for from your existing list of applications.
After your app has been added, you'll get the app Quick Start page. Click Configure Single Sign-On and select the Password Single Sign-On option.
Next, click Assign Users. Search for the name of a group that you want to assign shared app credentials to.
Note: You can add new groups using the Groups tab under the directory, or by syncing them from on-premises.
- Select your group (e.g. Marketing), and then click the Assign button at the bottom of the screen.
- To enter app credentials for this group, check I want to enter credentials to be shared among all my group members.
- Enter the credentials for your app in the provided fields. Example: The username and password for your company's Twitter page. Finish out by saving the dialog.
Now, any users who belong to this group will see this application on their app access panel at http://myapps.microsoft.com. When they click on the app, they are automatically signed into the application using the admin-provided credentials. Should the event arise that a user is assigned to two different groups that provide different credentials for the same app, the access panel will prompt the user to select which username to sign in with after selecting the app.
This enables you to easily manage your shared social media accounts (or other password based SAAS app accounts) in one place, instead of needing to communicate and manage a shared set of credentials across multiple people in your organization.
We hope you'll find this new capability useful! We're already in the process of rolling it out here at Microsoft!
And as always, we'd love to hear any feedback or suggestions you have.
Alex Simons (Twitter: @Alex_A_Simons)
Director of PM
Microsoft Identity and Security Services Division