Solutions for accessing webapp from inside and outside the corporate perimeter by same users?

Information Security Asked by Aleph on February 19, 2021

I’m looking for solutions that could best address the following requirements.

  • We plan to develop a webapp and deploy it in the cloud.
  • Corporate users must be able to access the webapp from the enterprise network, where they’re already connected to a corporate Active Directory, with an SSO mechanism (e.g. SAML, OAuth/OpenID Connect, WS-Fed, etc.). This is the “easy” part, as ADFS provides solutions for this.
  • Here is where it gets less obvious: The same users can be on the road, and still be able to connect to the same webapp.
  • When they’re on the road, though, SSO is not mandatory: they could connect with other login credentials (e.g. via the webapp’s own userid/password management system, or through a third-party identity provider). If there are solutions where they still could use their AD credentials from the outside of the company, this should be of course considered.
  • In any case, a user should get her/his same preferences, personal data, etc. in the webapp, independently of the way s/he logs in (i.e. from inside the company or when on the road)
  • If a user is de-provisioned from the AD, s/he must not be able to connect using the webapp’s own login system or third-party identity provider. Same thing if her/his group memberships change: it must be taken into account in the webapp, whatever the login option used.

I understand there are many possible solutions (VPN connection, using Azure AD, etc.), but what would be the one(s) with the best combination of impacts on the present infrastructure, cost, user-friendliness, security, and availability?


2 Answers

If your users are using company supplied (domain joined) laptops when they are on the road, one option to consider besides Azure AD is Direct Access. This solution will provide exactly the same user convenience as if they were inside your network while maintaining minimal impact on your architecture (you will not be publishing the app to the Internet directly). A thing to consider with this solution is it would only work for domain joined computers. Any other device including phones and tablets will not be able to access the application.

Answered by Marko Vodopija on February 19, 2021

Sounds like a job for Azure AD Connect, then your app can authenticate against Azure AD regardless of where the user is (interal/external to the company's lan). As long as they can reach your app they'd be able to log in with their credentials.

Answered by chubbsondubs on February 19, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP