Microsoft Entra (SAMLSPBroker)
Last updated
Last updated
In this scenario, a web resource, Fortified ID Portal, will be protected by an "external SAML IdP" for authentication.
The external SAML IdP is Microsoft Entra. The web resource Fortified ID Portal will act as an SAML SP. Fortified ID WEB will act as a SAML SP to Microsoft Entra and SAML IdP for Fortified ID Portal.
The user is also authorized against an LDAP directory for additional attributes to be fetched. This step is optional.
There are some prerequisite for this use case. You will need the following environment:
This use case assumes that you have good knowledge of the product in question.
You need an Microsoft Entra tenant.
Fortified ID WEB installed and configured.
LDAP directory. The remote authenticated users are validated against this directory and attributes are fetched from the LDAP object. The example configuration is configured using an Active Directory. We are using mail attribute on the Active Directory user for authentication.
Fortified ID Portal installed and configured. (you can use any SAML SP connected to Fortified ID WEB SAML IdP of course).
Note. All configuration and testing is done on the scenario server.
Download and install Fortified ID Web and Fortified ID Portal
To install Integrity Web and Integrity Portal, see documentation and installation.
Add files and folders from ZIP-file to Fortified ID Web and Fortified ID Portal.
Download the microsoft_entra_use_case.zip.
Replace the customer folders for your installations with the ones from the zip-file. Note. This use case was initially done on a Windows server, if you run Container/Docker or Linux you might have to changes something to work in your environments like file paths e.g..
Open the globals.json in both customer folders and update to match your environment.
Open a browser and browse to https://entra.microsoft.com
Login to access your Microsoft Entra tenant
Find Enterprise application admin view
Click in the search field
Type Enterprise applications
Click Enterprise applications in result
Create an application
Click New application
Click Create your own application
Type a name, e.g. Fortified ID Integrity WEB
Click Create
Configure your application
Under heading Getting Started
Under heading 1. Assign users and groups, click Assign users and groups
Click Add user/group
Select the users that should be able to login
Click Assign
Click Overview in settings for your applications
Under heading 2. Set up single sign on, click Get started
Click SAML if asked
Under Basic SAML Configuration click Edit
In Identifier (Entity ID) section
Click Add identifier In our example it is https://fortifiedid.se/sp_entra You will see where this value is created later when we look at SAML SP metadata template file
In Reply URL (Assertion Consumer Service URL) section
Click Add reply URL In our example it is https://dev.fortifiedid.se/saml/authn/microsoft_entra Change the URL for dev.fortifiedid.se to your address You will see where this value is created later when we look at SAML SP metadata template file
Under Attributes & Claims click Edit (for this use case I have added two additional claims)
display_name_from_entra < - > user.displayname
username_from_entra < - > user.department In department I added the userid used in Active Directory for mapping identities. In this use case we use mail in Active Directory. For example. If I login as userid_entra@fortifiedid.onmicrosoft.com I need to map it to an identity in Active Directory, for example userid_ad@fortifiedid.se. In this use case I added userid_ad@fortifiedid.se to department corresponding user userid_entra@fortifiedid.onmicrosoft.com in Entra.
Save value for "App Federation Metadata Url"
Click Overview for your Enterprise applications
Under heading 2. Set up single sign on, click Get started
Under heading SAML Certificates (section 3)
Copy value of App Federation Metadata Url and save it for later
Value look like https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml?appid=yyy xxx and yyy are unique values for your Entra tenant
Save value for "Microsoft Entra Identifier"
Click Overview for your Enterprise applications
Under heading 2. Set up single sign on, click Get started
Under heading Set up your app name (section 4)
Copy value of Microsoft Entra Identifier and save it for later
Value look like https://sts.windows.net/zzz zzz is a unique value for your Entra tenant
Note that the config.json file of Fortified ID WEB is already configure, you just going to add your environment data like Microsoft Entra values from previous step.
Update config.json
Update SAML metadata template file
You can also have globals.json open as reference.
There are three (3) parts in config.json to mention/configure.
Change metadata URL to your Microsoft Entra IdP metadata URL
Go to line 73
Change the url address below to your App Federation Metadata Url value (this is the value you copied in the previous step) https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml?appid=yyy
Change value for target_idp_entity to your Microsoft Entra Identifier URL value
Go to line 150
Change the url address below to your Microsoft Entra Identifier value (this is the value you copied in the previous step) https://sts.windows.net/zzz
Verify configuration for SAML metadata for Fortified ID WEB acting as SAML SP.
Go to line 53-64
This is data you might like to change or use the use case data for testing.
In file system, open folder drive:\FortifiedID\web\customer\config\resources_internal\saml\metadata_template
Open the file fortifiedid_samlspbroker_entra_template.xml
In entityID you will find the value we used in previous step when configure Entra to use this Fortified ID SAML SP We use https://fortifiedid.se/sp_entra as entityID
In Location you will find the value we used in previous step when configure Entra to use this Fortified ID SAML SP Change the URL for Location from dev.fortifiedid.se to your address
Start the service and verify the start by looking thru the server.log file.
Start the service and verify the start by looking thru the server.log file
Open a browser
Browse to https://dev.fortifiedid.se/portal/ Change dev.fortifiedid.se to map your environment.
You should now been redirected to Entra login page
Login using your Microsoft Entra ID
You should now be logged in to Fortified ID Portal
Tip. Use a SAML tracers for your browser to view the data added.
