multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory

Question

I have the following services

• Service1.SomeDomain.com
• Service2.SomeDomain.com
• Service3.SomeDomain.com

I have a Web application that has a client side script that will talk directly to each of the above services to retrieve information

Web.SomeDomain.com

I also have Native Mobile client applications which also will talk directly to each of the above services

• Android
• IOS
• Windows/Windows Phone

Now this application will be a SaaS solution where customers can sign-up online create their own tenant and then create user accounts for there employees and add the employees to groups and change permissions of those groups.

Now i need a solution that a user can log on to a mobile application or Web and it be allowed to gain access to the above mentioned services depending on there groups permissions, but i want strong separation of each tenant

Answer 1

Looking at the tags it seems you are considering Azure AD. Good choice. Azure AD allows developers to secure their SAAS APIs and Web/Mobile Apps. Azure AD satisfies all the requirements that you've described - it even has client SDKs for the popular platforms. The following should see you through:

1. Authentication scenarios supported by AAD (http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx): will answer questions like - how can my mobile app access my multi-tenant web api on behalf of the user, or how can my web app sign-in the user as well as receive a delegated token to access my web api
2. AAD integrated multi-tenant SAAS application sample (https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet): covers special techniques for multi-tenant apps
3. Authorization using group membership (https://azure.microsoft.com/en-us/documentation/articles/web-sites-authentication-authorization/): describes how you can perform authorization in your application per the group membership of users.

Enjoy. Hope this helps.