Use Cases
HomeIntegrityControlManagement CenterSolutions
  • Get Started
  • Integrity | Access
    • Auth. methods
      • LDAP (Username/Password)
      • LDAP (Username/Password) + OTP (SMTP)
      • LDAP (Username/Password) + OTP (SMS)
      • Swedish BankID
      • Microsoft Entra ID (SAMLSPBroker)
      • Certificate-Based Authentication
      • Foregin eID (SAMLSPBroker)
    • Auth. methods (SAML)
      • One-Time Password (OATH)
      • Inera IdP (SITHS) (SAMLSPBroker)
      • ID-porten (Norway) (SAML IdP with OIDC RP)
      • Multiple SAML IdP's configured
        • Multiple JSON files
    • Auth. methods (OIDC)
      • Static values (OIDC) - Test only
      • Swedish BankID (OIDC)
      • UID/PWD (OIDC)
    • Auth. methods (MISC)
      • Selector filtering
      • AuthZ control
      • External links and Cancel location
    • Add a Federation or SAML SP
  • Integrity | Portal
    • Portal
  • Integrity | Enrollment
    • Software token (OATH)
    • Best practice configuration
  • Integrity | Radius
    • UID/OATH token
    • UID/Password/OATH token
    • UID/Password/SMTP
  • Integrity | API
    • Swedish Siths eID
    • Oath Token
    • OIDC M2M Authentication & Token Service
  • Control | Applications
    • Password Reset
    • Password Reset for Entra ID
    • Password Reset for Google Workspace
  • OPERATION
    • Rolling upgrade - cluster
  • TROUBLESHOOTING
    • Wrong relaystate
  • Misc
    • Address configuration externally
    • ADFS
      • Protect Fortified ID apps
      • Install and configure Fortified ID ADFS adapter for Siths eID
      • Install and configure Fortified ID ADFS adapter for Oath
    • AWS
      • Protect AWS Cognito with eID MFA
      • Protect AWS IAM Identity Center with eID MFA
    • Customization
      • Overlay - WEB
      • Overlay - Portal
      • Overlay - Password Reset
      • Overlay - Enrollment
      • Logout page
    • Dependency-Track - protect with eID MFA and SSO
    • Digitala Nationella Prov (DNP) / Skolfederation
      • Active Directory Federation Services (ADFS) with BankID as step-up-method
      • Active Directory / LDAP with BankID as step-up-method
      • Entra ID (Azure AD) with BankID as step-up-method
      • Google with BankID as step-up-method
      • Generate eduPersonPrincipalName (eppn) and store in Google
      • Generate eduPersonPrincipalName (eppn) and store in Entra ID
      • Common configuration
    • Encrypt configuration secrets
    • Microsoft Entra
      • Protect Entra ID (Azure AD) with eID MFA
      • Entra External - Support for eID (SAML)
      • Entra External - Support for eID (OIDC)
    • Expressions
    • Google
      • Common configuration for Google Workspace - Directory API
      • Common configuration for Google Workspace - authentication for Fortified ID products
      • Delegated administration for Google Workspace - teacher updates student guardians
      • Delegated administration for Google Workspace - teacher updates student password
      • Protect Google Workspace with eID MFA
    • HTTPS
    • Protect sensitive data, such as social security numbers, through obfuscation
    • Reverse proxy
      • Install Apache Web Server on Windows
      • Add SSL certificate and enable https
      • Add a Fortified ID virtual host
      • mTLS in Apache HTTPD using a Self-Signed CA and Client Certificates
    • Set AuthnContextClassRef
    • Wiki.js - OpenID Connect (OIDC)
    • Add roles based on memberOf
Powered by GitBook
On this page
  • Scenario
  • Prerequisite
  • Install and prepare configuration
  • Configure your Microsoft Entra tenant
  • Create and configure an enterprise application
  • Extract config values for Global
  • Test the configuration
  1. Integrity | Access
  2. Auth. methods

Microsoft Entra ID (SAMLSPBroker)

PreviousSwedish BankIDNextCertificate-Based Authentication

Last updated 1 month ago

Scenario

In this scenario, we will append the default installation with Microsoft Entra ID autentication.

In this use case:

  • Fortified ID Access will act as the bridge/proxy between application and Microsoft Entra ID

    • Fortified ID Access will act as a SAML SP to Microsoft Entra ID

    • Fortified ID Access will act as a SAML IdP to SAML SP application

Prerequisite

  • This use case assumes that you have good knowledge of the product in question.

  • Fortified ID Access installed and configured with the default configuration

  • You need a Microsoft Entra ID tenant with administrative rights

Install and prepare configuration

  1. Download

  2. Add files and folders from ZIP-file to the config-folder, ex: C:\Program Files\FortifiedID\mgmt-center\data\customer\access

  3. Append you globals with the following parameters and adjust them according to you needs

{
  "samlspbroker_entraid_metadata_id": "fortifiedid_sp_entraid",
  "samlspbroker_entraid_template": "${system.customer_home}/resources/fortifiedid_samlspbroker_entra_template.xml",
  "samlspbroker_entraid_spentityid": "${globals.default_saml_entity_id}/entraidsp",
  "samlspbroker_entraid_target_idp": "https://sts.windows.net/zzz/",
  "samlspbroker_entraid_metadata_url": "https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml?appid=yyy"
}
  1. Append the translations file with the following translation

{
  "samlspbroker_entraid_label": "Microsoft Entra ID"
}
  1. Append the selector with at reference to the new authenticator by appending this block to the default selector

{
    "id": "10",
    "target": "entraid",
    "label": "samlspbroker_entraid_label",
    "logo": "assets/svg/microsoft.svg"
}
  1. Append the SAML Module with the new SAML SP configuration

{
  "id": "${globals.samlspbroker_entraid_metadata_id}",
  "metadata_file_path": "${globals.samlspbroker_entraid_template}",
  "sign_ref": [
    {
      "keystore": {
        "key_password": "${globals.default_keystore_password}",
        "password": "${globals.default_keystore_password}",
        "path": "${globals.default_saml_keystore}"
      }
    }
  ]
}
  1. Restart the Access service

Configure your Microsoft Entra tenant

Login to Entra admin portal

  1. Login to access your Microsoft Entra tenant

Create and configure an enterprise application

  1. Find Enterprise application admin view

    1. Click in the search field

    2. Type Enterprise applications

    3. Click Enterprise applications in result

  2. Create an application

    1. Click New application

    2. Click Create your own application

    3. Type a name, e.g. Fortified ID Integrity Access

    4. Click Create

  3. Configure your application

    1. Under heading Getting Started

    2. Under heading 1. Assign users and groups, click Assign users and groups

      1. Click Add user/group

      2. Select the users that should be able to login

      3. Click Assign

    3. Click Overview in settings for your applications

    4. Under heading 2. Set up single sign on, click Get started

      1. Click SAML if asked

      2. Under Basic SAML Configuration click Edit

        1. In Identifier (Entity ID) section

        2. Click Add identifier In our example it is http://access.fortifiedid.se/entraidsp This is configurable in global parameter samlspbroker_entraid_spentityid.

        3. In Reply URL (Assertion Consumer Service URL) section

        4. Click Add reply URL In our example it is https://localhost:8443/access/authn/entraid Change the URL for localhost:8443 to your address. This value is concatenated from the global parameters default_login_location/default_login_suffix/entraid

      3. Under Attributes & Claims click Edit (for this use case I have added two additional claims)

        1. username < - > user.userPrincipalName The default installation is expecting the attribute username to be set, so this might not be necessary in your configuration.

Extract config values for Global

Save value for "App Federation Metadata Url"

  1. Click Overview for your Enterprise applications

  2. Under heading 2. Set up single sign on, click Get started

  3. Under heading SAML Certificates (section 3)

  4. Copy value of App Federation Metadata Url and replace the value in Globals samlspbroker_entraid_metadata_url

  5. Value look like https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml?appid=yyy xxx and yyy are unique values for your Entra tenant

Save value for "Microsoft Entra Identifier"

  1. Click Overview for your Enterprise applications

  2. Under heading 2. Set up single sign on, click Get started

  3. Under heading Set up your app name (section 4)

  4. Copy value of Microsoft Entra Identifier and replace the value in Globals samlspbroker_entraid_target_idp

  5. Value look like https://sts.windows.net/zzz zzz is a unique value for your Entra tenant

Test the configuration

  1. The selector should now be displayed, including the new option for "Microsoft Entra ID".

  2. Select "Microsoft Entra ID"

  3. You will be redirected to the Microsoft Entra ID authentication

  4. After a successful authentication you will be redirected back to the Access server and finally to the selected application or the Fortified ID test application.

Open a browser and browse to

Browse to a site protected by the Access server. Optionally the default login url might be used.

this file
https://entra.microsoft.com
https://localhost:8443/access/authn/samllogin