We have our own web application which performs access control based on the username and associated roles defined locally and maintained in the local database
I need to integrate our application with "Azure AD" to avail single sign-on (SSO) so that with the same user-name, we can integrate and access other SaaS applications as well. I think I can achieve this with "Azure ADAL APIs" and "Graph APIs".
However, I would like to understand how to define custom user attributes and roles for "Azure AD" to share the attributes and roles with our application upon authentication. This is required for our web application to provide Access Control ( based on user id and role) without defining roles locally. I am not sure how to achieve this?.
Please let me know if it is feasible and what is the best option to achieve the same.
I would like to understand how to define custom user attributes and
roles for "Azure AD" to share the attributes and roles with our
application upon authentication. This is required for our web
application to provide Access Control ( based on user id and role)
without defining roles locally.
You need to look at the Application Roles related functionality with Azure AD to implement your custom RBAC. It should most probably provide you what you're looking for.
On a side note, I've seen cases where people chose to do some authorization logic based on which groups the users belonged to. This is just information and not something you need to do.
I'm sharing samples related to both, Roles and Groups in this answer, but definitely look at Application Roles first and once you understand them clearly, you can decide to use Application Roles, Groups or a combination of both Roles and Groups (very possible) for your Authorization strategy.
Application Roles
Microsoft Documentation - Application Roles
Purpose - These roles are defined in the Application Manifest for an application that your organization is developing and that is registered in your Azure Active Directory. These roles are very specific to your application and can be used in application's code to implement Authorization logic for the authenticated users.
Sample Application (that uses this concept and does what you're looking for) -
Authorization in a web app using Azure AD application roles & role claims
Quick Explanation
1) Once you register your application with Azure AD, you can define custom roles (specific to your application) by editing the application manifest (JSON) in Azure AD.
Here's a sample JSON of what application role definition would look like:
"appRoles":
[
{
"allowedMemberTypes": [
"User"
],
"description": "Creators can create Surveys",
"displayName": "SurveyCreator",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"value": "SurveyCreator"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Administrators can manage the Surveys in their tenant",
"displayName": "SurveyAdmin",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"value": "SurveyAdmin"
}
]
2) You will be able to assign these roles to Users/Groups/applications through Azure Portal or programmatically. (you could control the allowed member types for roles)
3) Now when the end users sign in to your application, the incoming Azure AD token will provide you a collection of role claims (based on whatever roles are assigned to the user) and you can take authorization decisions in your application.
if (context.User.HasClaim(ClaimTypes.Role, "Admin")) { ... }
Groups
Groups can have multiple users or other groups as members. Again management of groups is possible through Azure Portal or programmatically.
NOTE: Groups are totally independent of your application, i.e. Azure AD groups can and do exist to serve a purpose of grouping members even without your application. Application Roles on the other hand are very specific to your application, they don't mean much to anyone except your application.
Sample app which makes decisions based on Groups
Authorization in a web app using Azure AD groups & group claims
You've marked this SAML so I assume you want to do this via a custom SAML application?
If so, you need to provision Azure AD via the Graph API from your custom repository.
If Azure AD does not have the attribute you need, create an extension attribute.
In the SAML connection, you can configure what attributes are passed (this includes roles).
Note: the ADAL libraries are for OpenID Connect, not for SAML.