How to Build mobile apps with SSO using Microsoft Azure AD
What is Microsoft Azure Active Directory?
Microsoft Azure Active Directory is Microsoft’s flagship cloud identity service. Azure Active Directory (Azure AD) helps developers manage user identities and create intelligence-driven access policies to secure the resources mobile apps need to function.
This Knowledge Base article provides step by step instructions for using Appdome to add Azure AD SSO to any Android and iOS mobile app.
Adding Microsoft Azure Active Directory (Azure AD) to Mobile Apps Without Coding
Appdome is a no-code mobile app security platform designed to add security features and 3rd party services like Microsoft Azure AD to Android and iOS apps without coding. This KB shows mobile developers, DevSec and security professionals how to use Appdome’s simple ‘click to build’ user interface to quickly and easily make mobile apps work with modern Microsoft cloud authentication.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes and no dependency on SAML, OAuth, OpenID Connect or any other authentication standard inside the app. Users merely upload mobile apps, select the Azure AD service and click “Build My App.” The Appdome technology adds Azure AD SSO and relevant standards, frameworks and more to the app automatically, with no manual development work at all.
Using Appdome, mobile apps will use Microsoft Azure AD SSO to authenticate users as if Azure AD SSO was natively coded to the app. Appdome for Azure AD SSO is compatible with mobile apps built in any development environment including Native Android and iOS apps, hybrid apps and non-native apps built in Xamarin, Cordova, and React Native, Ionic and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent integration of Azure AD SSO to any mobile app.
The following diagram illustrates the Single-Sign-On flow within the app when integrating Azure as a cloud provider:
- The application sends an unauthorized request to reach a resource like internal.mycomp.com which is protected by a gateway, AD, or the app server itself.
- The server protecting the resource responds with 401 or 30X response since the request is not authorized.
- Appdome identifies the response from the protected resource and opens an internal Webview within the Built App
- The internal Webview is opened on the Azure Hub URL
- The user can now authenticate using any authentication method the hub URL requires, during the authorization session, the cookies and authorization token are received.
- The Azure server redirects to the Success URI (e.g. https://successful-authentication-internal-url/portal.html) since the authorization succeeded. Note that the app’s Success URI is configured on Azure should match the configuration during fusion.
- Appdome identifies the Success URI redirect and closes the internal Webview, returning the view to the original app.
- Now, when the app tries to reach the protected resource, the authorization header or cookies are attached to the outgoing request. The gateway will trust these credentials and the app will reach the protected resource successfully.
Prerequisites for using Appdome for Azure AD SSO
In order to use Appdome’s no code implementation of Microsoft Azure AD SSO on Appdome, you’ll need:
- Appdome account IDEAL or higher
- Mobile App (.ipa for iOS, or .apk or .aab for Android)
- Azure Hub URL
- Authentication Successful URI for Native App
- Azure Triggering URI
- Azure Client ID (Application id)
- Signing Credentials (e.g. signing certificates and provisioning profile)
Log in to your Microsoft Azure portal and retrieve the Azure Client ID. If you did not register an app in Azure AD yet, you can see How to Register Apps in Microsoft Azure Active Directory.
How to Add Microsoft Azure AD SSO to Android and iOS apps
Follow these step-by-step instructions to add Azure AD SSO to Any Mobile App:
Upload a Mobile App to Your Account
From the “Build” tab, Add Azure AD SSO
- Select the Build tab. Note: a blue underline will appear showing the step is active
- Select the Authentication category. Note: a blue highlight will appear showing the category is active.
- Enable Authentication Profiles
- Select Azure Identity Cloud from the drop-down menu.
- You can add specific URLs to apply the authentication to, or leave “all” to apply to all URLs accessed by the app.
- Enter the URL for your Authorization Endpoint
- Enter the URI for Redirect URI
- If your deployment uses Open ID, enable OpenID Authentication
- Enter the Client ID
- Enter the Token URL
- Enter the Client Secret (Optional)
- Add additional Scopes (Optional)
- Click Build My App
The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add Azure AD SSO to the mobile app in seconds. For example, the technology of Open-ID Connect and Webview authentication, work that ordinarily a developer would need to do.
Congratulations! You now have a mobile app fully integrated with Microsoft Azure Active Directory SSO.
No Coding Dependency
Building Custom Azure AD SSO Workflows Inside Android and iOS Apps
Building Single Sign-On inside Android and iOS apps involves several significant considerations. Perhaps the most significant consideration is “where” and “when” the Single Sign-On workflow will take place inside the app. Usually, an SSO workflow is initiated at the start of a login sequence. In this use case, the client and the server are built to handle the basic authentication sequence (User –> launches app –> enters credentials –> credentials verified by the server –> user issued a token or cookie allowing access to the app).
But, what if the app developer hasn’t or doesn’t want to build the app to support basic authentication? Or, what if the app developer wants more than the username and password provided in the basic authentication workflow (e.g., access to user details available in new authentication methods)? In these cases, Appdome-Threat Events provide a framework to pass user details contained in an OpenID and SAML authentication response to the app developer. This framework allows new flexibility to create custom SSO workflows inside an app using industry-standard methods to retrieve and pass user details between authentication services and mobile apps.
Azure AD authentication services usually connect on the backend to a store of user data and use SAML or OpenID to handle authentication requests. Using SAML and OpenID, applications have access to all the user and authentication details returned by the server backend (i.e. any data the backend implements).
Read this KB article to learn more.
How to Sign & Publish Secured Mobile Apps Built on Appdome
After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:
- Signing Secure iOS and Android apps
- Customizing, Configuring & Branding Secure Mobile Apps
- Deploying/Publishing Secure mobile apps to Public or Private app stores
Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.
How to Learn More
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.