Problem statement
A client application has been deployed within a tenant. A new requirement is that a ‘downstream’ customer wishes to use Single Sign On (SSO) to login to the app using their Azure AD. This has given rise to several questions:
- The Auth0 documentation suggests that the app must be registered with Azure AD. Must the app be registered with the ‘downstream’ customer’s instance of Azure AD or should we deploy our own instance of Azure AD?
- Is it possible to sync the Azure AD user profiles of the ‘downstream’ customer to the Auth0 user profile?
- When registering the app with Azure it allows the creation of a client secret. However, the Azure documentation recommends the use of X.509 public key certificates instead. How can the Auth0 / Azure AD connection be configured to work with a certificate instead of a client secret?
Solution
Connect the App to Azure AD
For a ‘downstream’ customer to be able to login using Azure AD SSO, it is necessary to register the app with the instance of Azure AD that belongs to that particular customer. In this way, users who are registered with that Azure AD instance can log in with that connection. For further information, refer to Register your app with Azure AD.
Sync User Profiles
Yes, it is possible to sync the user profiles of the ‘downstream’ customer to an Auth0 user profile
To enable this feature, select the option 'Sync user profile attributes at each login ’ option in the Azure AD connection setting.
Sync user profile attributes at each login
When enabled, Auth0 automatically syncs user profile data with each user login, thereby ensuring that changes made in the connection source are automatically updated in Auth0.
For further information, refer to Create an Enterprise Connection in Auth0.
Configure Connection to use Certificates
Microsoft does indeed recommend the use of public key certificates to protect against unauthorized access to production applications. For further information, refer to the Microsoft document Register an Application with the Microsoft Identity Platform.
However, Auth0 only supports the use of client secrets at this point. A feature request has been recorded in the Product backlog, but at the time of this writing ( February 2024 ), there is no clear release date.
It is recommended that customers who desire this feature should submit a feature request via the Customer Feedback form. This will enable the Product team to determine priorities for future feature releases.