Azure AD integration from ADAL to MSAL
  • 05 Nov 2022
  • 4 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Azure AD integration from ADAL to MSAL

  • Dark
    Light
  • PDF

ADAL to MSAL

The latest version of Serverless360 comes with changes in the implementation of Azure AD integration for authentication. Previously Serverless360 was using the ADAL authentication library, which is planned to be deprecated, and we needed to migrate to the MSAL library. More info on the library migration is available on this link: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-migration

Azure AD integration in Serverless360

Serverless360 uses Azure AD as an authentication provider for 2 key reasons:

  • Authentication: The user is authenticated against Azure AD and is granted a token that can be used with Serverless360
  • Authorization: To pull a user or group from the Azure AD to be associated with a role in Serverless360

2 step migration

Serverless360 customers will either use the SaaS version of Serverless360 or self-host their instance of Serverless360 in their Azure subscription, which is referred to as private hosting or PH.
When a customer has upgraded their PH instance of Serverless360 to the latest version, the authentication library upgrade needs two additional one-off steps:

  • Kovai registers the customer’s PH URL on the Kovai App Registration
  • Customer provides an API consent for the Serverless360 App Registration on Customer’s Azure AD tenant
    This article aims to clarify the need for the above-mentioned 2 steps with technical information:

The Login flow

The flow for the login can be viewed as follows

image.png

The below diagram shows the component view of the authentication architecture.
image.png

When your user logs into the Serverless360 Portal, the authentication will send you to the Kovai multi-tenant app registration, to verify if the request comes from one of the whiltelisted URLs. You will then be redirected to your tenant to authenticate, and the token will be returned to the application.
In the application, your Serverless360 administrator user is validated using RBAC, and the administrator can choose to add other users and groups from your Azure AD tenant to be able to be given access to your PH instance of Serverless360.

Please Note:

The Kovai App registration requires the URL of the privately hosted Serverless360 instance to whitelist the deployments. The actual authentication and user or group retrieval on the Customer’s Azure AD is carried out by the Enterprise App registration in the Customer’s Azure AD only.

What has changed?

Previously when the ADAL library was used, we could dynamically configure the library to authenticate directly against the customer’s Azure AD tenant without the hop via the Kovai Azure AD instance.
The MSAL library does not out of the box support this dynamic configuration of the tenant/client id, so we would need to produce an individual installation for each customer. The recommended approach is what is typically used for SaaS applications where the application developer has their app registration which is multi-tenant, and will then allow users to federate to their Azure AD for authentication using the organization account. This is the way the SaaS hosted version of Serverless360 has always worked and the way most other single-page applications using Azure AD for authentication would work when they are developed to support multi-tenant.
The main difference from a customer perspective if you are upgrading from the previous version of Serverless360 is that we will need to register the URL of your PH installation as a redirect URL on the Kovai multi-tenant app registration. This is the list of apps that are allowed to use that app registration for authentication.
Having the application deployed with the configuration for authentication pointing to the Kovai Azure AD app registration allows us to have a single deployment package that supports all PH customers. Then when the app has been installed, the act of logging into the application will redirect the user to their home Azure AD tenant to log in.
There are 2 one time setup steps that are done when the customer sets up Serverless360 for the first time or migrates to the new version from the version which used ADAL which is:

  • Kovai will register the URL of the customer’s PH installation as a redirect URL on the Kovai multi-tenant App Registration
  • When the customer admin logs in for the first time, they will do a consent on their home Azure AD, which will allow the application to be able to configure users for the RBAC setup in the application. This is the same approach typically taken when setting up an application for Azure AD.

Summary

Hopefully, the document will provide some additional technical notes on the ADAL to MSAL migration and explain how the login process works and the additional steps which are involved in the one-time setup.
We will be monitoring the future roadmap for MSAL as other users have requested the feature to dynamically configure the client id at runtime. There is some custom-coded workaround that some developers have implemented, but we feel that at this time, it’s better to stick to the out-of-the-box supported approaches with the multi-tenant application being the way most ISVs will implement this pattern, but when Microsoft support dynamically setting the tenant, then we would look to provide this as an additional option for Serverless360 customers.

Reference

If you want to look into more info about this topic, there are some additional links below:
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1403
https://stackoverflow.com/questions/67772591/dynamic-configuration-of-msal-2-in-angular
https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-client-application-configuration
https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md


Was this article helpful?