Hacker News new | ask | show | jobs
by hirsin 1774 days ago
This is inaccurate. Multi tenant apps can simply be signed into via OIDC and they're added to your tenant, if you allow it. All Microsoft apps use OIDC and are not allowed to use SAML, but SaaS app developers are not quite as far ahead.

But yes, we don't support dynamic registration of apps for eg OIDC/oauth
2 comments
tehbeard 1774 days ago
So no OIDC for "internal" apps?

I had thought I'd missed something when setting up some customers, and having to refactor to use SAML for SSO where we'd used OIDC for g-suite, but you're saying unless I throw it on the gallery (public app store?), It's only SAML?

link
merb 1774 days ago
no. you register and you can either use saml or openid connect. btw. when you register your app you select if it is only for your tenant or for multiple tenants (or for microsoft accounts). your app never gets in the "public app store" unless you manually submit to. btw. this information is all public on their great docs.
link
tehbeard 1773 days ago
> this information is all public on their great docs.

Public it may be, searchable it does not seem to be.

Every search seems to direct me towards [1] , Which is about gallery apps, and then directs me to a Table of contents entry that doesn't seem to exist (the closest I found was a tutorials page which is about connecting to a bunch of pre-existing SaaS apps, not for a "custom-developed app")

...maybe this is something where I have to burn half a week playing with Azure AD on a trial account to figure out..

[1] https://docs.microsoft.com/en-us/azure/active-directory/mana...

link
hirsin 1773 days ago
Steps 2 and 3 are unrelated to the gallery. The gallery entry is basically a registered url that takes you to the app, to trigger a login (2) which triggers provisioning (3) in your tenant. So you can visit any app and add it to your tenant by signing into the app. Lots of folks want a gallery entry though, so that's what the docs focus on
link
merb 1773 days ago
https://docs.microsoft.com/en-us/azure/active-directory/deve...

this is the correct link if you want to develop something with the identity platform, the other link is more or less admin documentation...

link
syshum 1774 days ago
>yes, we don't support dynamic registration of apps for eg OIDC/oauth

Which is what I am talking about and ALOT of SaaS vendors do.

They have you go to AzureAD Go to Enterprise Applications, click "New Application" and then choose Application not found in Gallery.

When you do that, i can see no way to use anything other than SAML .

nothing in the Microsoft Docs, nor anything I can see on any portal gives the ability to for an Enterprise to Add their own Customer Open ID Connect application, you have to go through the process to add an App to the Gallery.

link
hirsin 1774 days ago
Thanks for the feedback and experience! This is the difference between provisioning (adding an instance of an app to your tenant) and registration (Azure AD knowing your app exists). The pattern you're talking about is provisioning, and sadly yes, the manual route here is very focused on SAML. But anyone at all can register an app, and then anyone else can provision it into their tenant just by signing into it.

Will check out the docs and see what we can do, it's not good this was hard to learn.

link