Microsoft Entra ID (SAMLSPBroker)

Scenario

In this scenario, we will append the default installation with Microsoft Entra ID autentication.

In this use case:

• Fortified ID Access will act as the bridge/proxy between application and Microsoft Entra ID

  • Fortified ID Access will act as a SAML SP to Microsoft Entra ID

  • Fortified ID Access will act as a SAML IdP to SAML SP application

Prerequisite

• This use case assumes that you have good knowledge of the product in question.

• Fortified ID Access installed and configured with the default configuration

• You need a Microsoft Entra ID tenant with administrative rights

Install and prepare configuration

1. Download this file

2. Add files and folders from ZIP-file to the config-folder, ex: C:\Program Files\FortifiedID\mgmt-center\data\customer\access

3. Append you globals with the following parameters and adjust them according to you needs

{
  "samlspbroker_entraid_metadata_id": "fortifiedid_sp_entraid",
  "samlspbroker_entraid_template": "${system.customer_home}/resources/fortifiedid_samlspbroker_entra_template.xml",
  "samlspbroker_entraid_spentityid": "${globals.default_saml_entity_id}/entraidsp",
  "samlspbroker_entraid_target_idp": "https://sts.windows.net/zzz/",
  "samlspbroker_entraid_metadata_url": "https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml?appid=yyy"
}

1. Append the translations file with the following translation

{
  "samlspbroker_entraid_label": "Microsoft Entra ID"
}

1. Append the selector with at reference to the new authenticator by appending this block to the default selector

{
    "id": "10",
    "target": "entraid",
    "label": "samlspbroker_entraid_label",
    "logo": "assets/svg/microsoft.svg"
}

1. Append the SAML Module with the new SAML SP configuration

{
  "id": "${globals.samlspbroker_entraid_metadata_id}",
  "metadata_file_path": "${globals.samlspbroker_entraid_template}",
  "sign_ref": [
    {
      "keystore": {
        "key_password": "${globals.default_keystore_password}",
        "password": "${globals.default_keystore_password}",
        "path": "${globals.default_saml_keystore}"
      }
    }
  ]
}

1. Restart the Access service

Configure your Microsoft Entra tenant

Login to Entra admin portal

1. Open a browser and browse to https://entra.microsoft.com

2. Login to access your Microsoft Entra tenant

Create and configure an enterprise application

1. Find Enterprise application admin view

   1. Click in the search field

   2. Type Enterprise applications

   3. Click Enterprise applications in result

2. Create an application

   1. Click New application

   2. Click Create your own application

   3. Type a name, e.g. Fortified ID Integrity Access

   4. Click Create

3. Configure your application

   1. Under heading Getting Started

   2. Under heading 1. Assign users and groups, click Assign users and groups

      1. Click Add user/group

      2. Select the users that should be able to login

      3. Click Assign

   3. Click Overview in settings for your applications

   4. Under heading 2. Set up single sign on, click Get started

      1. Click SAML if asked

      2. Under Basic SAML Configuration click Edit

         1. In Identifier (Entity ID) section

         2. Click Add identifier In our example it is http://access.fortifiedid.se/entraidsp This is configurable in global parameter samlspbroker_entraid_spentityid.

         3. In Reply URL (Assertion Consumer Service URL) section

         4. Click Add reply URL In our example it is https://localhost:8443/access/authn/entraid Change the URL for localhost:8443 to your address. This value is concatenated from the global parameters default_login_location/default_login_suffix/entraid

      3. Under Attributes & Claims click Edit (for this use case I have added two additional claims)

         1. username < - > user.userPrincipalName The default installation is expecting the attribute username to be set, so this might not be necessary in your configuration.

Extract config values for Global

Save value for "App Federation Metadata Url"

1. Click Overview for your Enterprise applications

2. Under heading 2. Set up single sign on, click Get started

3. Under heading SAML Certificates (section 3)

4. Copy value of App Federation Metadata Url and replace the value in Globals samlspbroker_entraid_metadata_url

5. Value look like https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml?appid=yyy xxx and yyy are unique values for your Entra tenant

Save value for "Microsoft Entra Identifier"

1. Click Overview for your Enterprise applications

2. Under heading 2. Set up single sign on, click Get started

3. Under heading Set up your app name (section 4)

4. Copy value of Microsoft Entra Identifier and replace the value in Globals samlspbroker_entraid_target_idp

5. Value look like https://sts.windows.net/zzz zzz is a unique value for your Entra tenant

Test the configuration

1. Browse to a site protected by the Access server. Optionally the default login url https://localhost:8443/access/authn/samllogin might be used.

2. The selector should now be displayed, including the new option for "Microsoft Entra ID".

3. Select "Microsoft Entra ID"

4. You will be redirected to the Microsoft Entra ID authentication

5. After a successful authentication you will be redirected back to the Access server and finally to the selected application or the Fortified ID test application.