We have a SaaS web application hosted with a non-Azure provider. Currently users access it via built-in individual user accounts, but we are implementing multi-tenant SSO via Azure AD (Open ID Connect). The aim here is for each organisation (using Azure AD) to subscribe to our web application to allow their users to sign in.
I'm now trying to understand how to filter and match users from organisations with a subscription.
From what I have read, the Tenant ID appears to be the key identifier for a given organisation and validating a token issuer is the place to start to restrict non-subscribed organisations. It appears that I can get the Tenant ID from the claim (http://schemas.microsoft.com/identity/claims/tenantid), which means I can validate a tenant in the code. So my simplistic approach would be to store a list of subscribed Tenant IDs and match them during the sign in process.
So here are my questions:
Thanks in advance.
There are plenty of questions in Stackoverflow that relate to multi-tenanting in Azure AD, but none that address the management of Tenant IDs. To me there is an obvious question such as "Great, we have over a 1000 clients who use Azure AD and would like to use SSO with our application. I can take a good guess as to what their domains are, but the Tenant ID is the truly unique identifier that I need for properly managing access. So how do I practicably get that from over 1000 clients and is this information sensitive?"
The Microsoft documentation always redacts illustrations of the Tenant ID, so you might think it is sensitive information, but I have discovered it's pretty easy to get publicly. All you do is copy the following URL into a browser and you will see the Tenant ID:
https://login.microsoftonline.com/[your-tenant's-domain]/.well-known/openid-configuration
So for anyone interested, here are the answers to my own questions:
Do I need each organisation to provide me with their Tenant ID so that I can keep a list to match against during the sign in process? Yes, it's better because the Tenant ID is unique, but if you are confident that the tenant's public domain is the same domain they use in Azure AD, then you can get the Tenant ID using the method described above.
If so, is the Tenant ID in any way sensitive information? Given the easy way to find a Tenant ID as described above, hopefully not!
Is there a way to manage a list of subscribed organisations or Tenant IDs in the Azure AD portal itself so that I do not need to filter it in the code? Yes there is. It's called Tenant restrictions and it's a perfect solution, but you can only use it if you have a Premium 1 licence in Azure AD, which equals $$$ (see https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions).