How to connect your SaaS application?
What if you want to use your company credentials to log in to this application? How do you connect a SaaS application to your infrastructure? If you have a hybrid infrastructure there are lots of possibilities.
What if you want to use your company credentials to log in to this application? How do you connect a SaaS application to your infrastructure? If you have a hybrid infrastructure there are lots of possibilities.
If you are familiar with the Azure portal, you noticed there are two application blades: the application registration blade and the Enterprise application blade. So why create an application registration instead of an enterprise application?
Well, in a nutshell, when you register an application in Entra ID, two objects are created in your Entra ID tenant:
The application object gives you control over three aspects of the concerning application: how the service can issue tokens to access the application, resources that the application might need to access, and the actions that the application can take.
The Enterprise application blade is more like the management section for service principals. To access resources that are secured by an Entra ID tenant, the entity that requires access must be represented by a security principal. This is true for both users (user principal) and applications (service principal).
The security principal defines the access policy and permissions for the application in the Entra ID tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
When creating an application registration, Entra ID assigns a unique application (client) ID to your application registration. Together with the application (client) ID, directory (tenant) ID, and client secret, the service provider (Tenant A in the picture below) has an endpoint to publish their software to your Entra ID. Or the other way around; You are allowed to access the service provider's application through the published application in your home tenant (Tenant B).
When you are the service provider and developing applications, and publishing them through Entra ID, you can choose the application to be single-tenant or multi-tenant during the app registration in the Azure portal.
When a user wants to sign in to an application in Entra ID, the application must be represented in the home tenant of the user. This allows the users' organization to apply policies or specific access controls. For a single-tenant application, the registration is fairly simple; it’s the one that happens when you register the application in the Azure Portal.
For a multi-tenant application, the initial registration for the application takes place in the Entra ID tenant (Tenant A in the picture below) used by the service provider. When a customer, from a different tenant (Tenant B in this case), signs into the application for the first time, Entra ID asks them to consent (Step 3). They need to consent to the permissions requested by the application. If they consent, then a representation of the application, a service principal, is created in the user’s home tenant (Step 4). A delegation is also created in the user's home tenant that registers the user’s consent to the particular application. You can find this in the permission section on the Enterprise application object.
All this is possible when the service provider and the identity provider use Entra ID. But if you don’t have Azure Entra ID and want to connect to a service provider which is running a multi-tenant or single-tenant application from Entra ID, what then?