Azure AD SSO Integration – Tenant onboarding guide
We use Azure Active Directory (Azure AD) Single Sign-On (SSO) to allow your organization to securely access our Django-based application using your existing Microsoft credentials. This integration is built using the django-auth-adfs library, which provides a robust foundation for Azure AD authentication. However, the default library assumes a single-tenant setup, whereas we have extended it to support multi-tenant login, enabling different organizations to authenticate using their own Azure AD accounts.
This document outlines why we require your Azure Tenant ID and how it’s used to enable SSO for your organization.
Why we need your azure Tenant ID?
Your Tenant ID is essential because our system uses the django-auth-adfs library to dynamically generate OpenID Connect configuration well-known endpoints specific to your Azure AD tenant. The library fetches OAuth2 configuration data (including authentication endpoints, token endpoints, and supported claims) from your tenant’s well-known configuration and implements the authentication logic to receive authentication tokens and maintain user sessions in our system.
By default, django-auth-adfs is designed to authenticate users against a single Azure AD tenant. This works well for single-organization deployments but is not sufficient when serving multiple clients/organizations in the same application.
To support a multi-tenant setup, we’ve enhanced our authentication flow to dynamically resolve and validate users from different Azure tenants.
What your Tenant ID enables us to do
Your Tenant ID enables us to:
– Identify your organization uniquely within Azure AD
– Register and configure your tenant in our system so we can accept and validate authentication requests
– Route login requests to Azure using your tenant’s authority URL (e.g., https://login.microsoftonline.com/<tenant-id>)
– Isolate users per tenant to enforce data separation and security
– Dynamically discover your tenant’s OpenID Connect metadata endpoints
Without your Tenant ID, we cannot securely enable SSO for your users.
How to Find Your Azure Tenant ID
To retrieve your Azure Tenant ID:
1. Log in to Azure Portal
2. Navigate to Azure Active Directory > Overview
3. Copy the value under Tenant ID (it will be a UUID)
Example:
-> d3e0a85b-91d6-4f78-914f-2eaec8b7fbc5
What We Do with Your Tenant ID
Once we receive your Tenant ID, we:
1. Configure your tenant in our backend to allow authentication against your Azure AD
2. Enable discovery and token validation using your tenant’s OpenID Connect metadata
3. Map your users securely into our system so they can log in using the SSO flow
4. Set up dynamic endpoint resolution for your tenant’s specific OAuth2 configuration
What you need to provide
To enable SSO for your organization, please provide us with:
-> Your Azure AD Tenant ID
You can send these details securely via email or any preferred channel discussed with your onboarding contact.
Important protocol note
– SAML Support: Please note that SAML-based SSO is currently not integrated into our backend system. Our current implementation focuses exclusively on OpenID Connect/OAuth2 protocols through Azure AD. Adding SAML support would require considerable development time and significant backend modifications. If your organization requires SAML integration, please discuss this with your onboarding contact for potential future implementation.
– Auth0 and Generic OAuth2 Providers: We cannot use Auth0 or other generic OAuth2 authentication providers at this time. Our system is specifically designed and configured to support Azure AD SSO only, not generic OAuth2 authentication flows. The integration is tightly coupled with Azure AD’s specific endpoints, token formats, and user claim structures. Supporting other OAuth2 providers would require significant architectural changes to our authentication system.
Security Considerations
– We do not store or access any sensitive credentials from your Azure AD
– All authentication tokens are handled securely using industry-standard OpenID Connect flows
– Each tenant is isolated logically to ensure secure access control
– Dynamic endpoint discovery ensures we always use the most current configuration from your Azure AD tenant
