Authenticating Azure AD tenants who don’t have their own Azure account
Create a PingFederate workflow to authenticate users from different Microsoft tenants.
If you use Microsoft Azure AD as an identity provider (IdP), a standard IdP connection won’t authenticate users from other Azure tenants or from other Microsoft account types, such as outlook.com, live.com, or hotmail.com.
If you have users from these other tenants, you can authenticate them through the Azure Application Registration Portal and V2 endpoints.
Creating an OIDC V2 app for AuthN
Register a new OpenID Connect (OIDC) application in the Azure App registration service.
Steps
-
In the Azure portal, go to App registrations → New registration.
-
Enter an application name and click Create.
Give your application a name that identitfies it and differentiates it from applications created through Azure AD, such as
PingAuthentication-V2
. -
Under Supported account types, click Accounts in any organizational directory and personal Microsoft accounts.
-
Click Register.
Result:
The Overview tab provides the Application (client) ID. This is the Client ID for your PingFederate OIDC IdP connection.
-
Click API permissions.
-
Click Add a permission → Microsoft Graph → Delegated permissions → Directory and select the Directory.Read.All check box.
-
Click Add permissions.
-
Optional: Click the Branding tab to customize the following:
-
Brand logo
-
Home page URL
-
Terms of Service URL
-
Privacy Statement URL
-
-
At the top of the page, click Save.
Viewing and updating the app in ADD dashboard
Verify and update the permissions in your v2 Azure application.
Steps
-
In the Azure portal, go to App registrations.
-
Click the V2 application that you created to open the Overview tab.
-
Click Authentication.
Result:
Under the Supported account types heading, you see
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
. -
At the top of the page, click Save.
Creating an OpenID Connect IdP connection in PingFederate
Steps
-
In PingFederate, go to Authentication → Integration → IdP Connections and click Create Connection.
-
On the Connection Type tab, select Browser SSO.
-
In the Protocol list, select OpenID Connect.
-
Click Next.
-
On the Connection Options tab, click Next.
-
On the General Info tab, enter the following values:
-
In the Issuer field, enter
https://login.microsoftonline.com/common
and click Load Metadata.Result:
When you click Load Metadata, the Issuer field is updated with a metadata URL.
-
Replace the <tenant> placeholder at the end of the URL with your Microsoft Tenant ID and add
/v2.0
to the end of the URL.You can find your Tenant ID at Azure Active Directory → Overview in your Microsoft Azure account.
-
Select the Enable Additional Issuers check box.
-
In the Connection Name field, enter a plain-language identifier for the connection, for example a company or department name.
This name is displayed in the connection list in the administration console.
-
In the Client ID field, enter the Application (client) ID value found in the App registrations menu in Azure AD.
-
Click Next.
-
-
On the Additional issuers tab, select the Accept All issuers (Not Recommended) check box and click Save.
-
On the Browser SSO tab, click Configure Browser SSO.
-
On the User-Session Creation tab, click Configure User-Session Creation
-
Choose one of the Identity Mapping tab options:
-
Click Account Mapping if you plan to pass end-user claims to the target application through a service provider (SP) adapter instance, or an authentication policy contract if your PingFederate server is a federation hub that bridges an OpenID provider to an SP.
-
Click Account Linking if your target application requires account linking.
-
Click No Mapping if you plan to pass end-user claims to the target application through an authentication policy contract in an SP authentication policy.
-
-
-
Delete the attributes that are unnecessary to your application in the Attribute Contract menu generated by the issuer metadata in Step 5.
Troubleshooting:
You are likely to encounter attribute-related errors when testing your connection. If this occurs, review the
server.log
file to see what attributes or claims are sent to Azure and delete the unnecessary attributes from your attribute contract. -
Optional: On the Target Session Mapping menu, click Map New Adapter Instance to map end-user claims to the target application through an SP adapter instance or an authentication policy contract.
For more information, see Managing target session mappings.
-
On the Summary tab, review the User Session Creation settings and click Save.
-
On the Protocol Settings tab, click Configure Protocol Settings.
-
On the OpenID Provider Info tab, enter the following values.
Field Value Authorization Endpoint
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Token Endpoint
https://login.microsoftonline.com/common/oauth2/v2.0/token
User Info Endpoint
https://graph.microsoft.com/oidc/userinfo
JWKS URL
https://login.microsoftonline.com/common/discovery/v2.0/keys
-
When you have finished configuring the identity provider (IdP) connection, copy the Redirect URI from the Activation & Summary tab and add it to your V2 application.
-
In your Azure account, go to App registrations.
-
Click the application you want to connect.
-
Click Authentication → Add a platform → Web.
-
Paste the redirect URI into the Enter the redirect URI of the application field.
-
Select both the Access Tokens and ID Tokens check boxes.
-
Click Configure.
-
Result
You can now authenticate users with non-Azure Microsoft accounts.