After migrating from on-premises to cloud hosting on Approach servers, one of our customers expressed the desire to integrate an SSO login in Atlas using Microsoft Azure AD in order to simplify the authentication process.
Why implement an SSO login with Microsoft Azure AD?
By switching to an SSO authentication, their users would be able to securely connect to the Atlas Web App through their company credentials in a fast and secure manner. The main benefit is that users would no longer need to have a separate set of login credentials in order to access the platform.
What are the benefits?
The SSO authentication provides organisations with an easy and fast access to Atlas without requiring the users to keep multiple login credentials.
Furthermore, data security is enhanced as a single point of authentication is used when sending the credentials directly to the IDP only which reduces the ability for these exchanges to be maliciously intercepted.
Using the Access Gateway provides customers with many advantages:
- A simple plug’n‘play solution
- Compatible with all applications
- Cloud compatibility
- Total protection against external access as MFA provides a token that is checked by the Access Gateway in order to access the web application
Use case: how was the change implemented within ATLAS?
ATLAS is a highly configurable .Net web application designed to provide expatriates, managers and administrators with access to a centralized data source based on different permission levels depending on the user’s assigned role.
Designed, owned and maintained by Approach’s Secure Development team, security remains a priority, especially due to the sensitive nature of the data stored in ATLAS.
To properly secure the database, authentication is necessary for all users trying to connect to the platform. But this requires yet another additional set of credentials.
In order to successfully enhance Atlas to support an SSO authentication flow using a SAML protocol on Microsoft Azure AD, two solutions were identified by our developers:
- New development efforts had to be made in Atlas as to include the additional configurations and application flow to support the SSO using SAML protocol
- As the customer was already using Approach’s WAF Application Intelligence to secure Atlas, an Access Gateway feature was available to support SSO using SAML protocol on Microsoft Azure AD
After careful consideration, our team opted for the second option.
Why use an Access Gateway to support SSO?
Although the first solution would imply that Atlas keeps full control on the configurations of the additional authentication flow. This proposal would entail additional development works in the application as well as additional configurations which would imply an increase in maintenance costs for the additional authentication flow to support SAML protocol.
As for this customer, Atlas is hosted behind a WAF and the associated Access Gateway, the second solution allows for less development work to be done as only a read of the additional request header value provided by the WAF is needed to identify the user.
This reduces the usage of a third-party package to handle the additional authentication protocol.
As all web requests coming to Atlas would have already been identified, only small configurations and no additional authentication flow within the Atlas application would be required. At the same time, using the OpenID Connect protocol would offload our existing SSO authentication.
Overall, Atlas would be simplified to deliver an SSO authentication in future organisations using an Access Gateway supported protocol. This would ease the management of access token cycles as it could, for instance, refresh an expired token automatically.
The access token could further be provided in the request header alongside the authenticated user email to be used in exchange for a SAML Assertion and obtain a different access token from Microsoft when calling a Graph API.
Conclusion
SSO authentication is an efficient solution that can easily be applied to most web applications thereby improving security while reducing complexity.
By using Approach’s Access Gateway, we are able to offload the SSO authentication to a more secure and robust solution which would otherwise be handled by the web application.
Furthermore, the Access Gateway will only redirect to the application when the request is made by an authenticated user which will dramatically reduce the amount of unnecessary traffic toward the application.