Microsoft Entra ID (SAMLSPBroker)
Last updated
Last updated
In this scenario, we will append the default installation with Microsoft Entra ID autentication.
In this use case:
Fortified ID Access will act as the bridge/proxy between application and Microsoft Entra ID
Fortified ID Access will act as a SAML SP to Microsoft Entra ID
Fortified ID Access will act as a SAML IdP to SAML SP application
This use case assumes that you have good knowledge of the product in question.
Fortified ID Access installed and configured with the default configuration
You need a Microsoft Entra ID tenant with administrative rights
Download
Add files and folders from ZIP-file to the config-folder, ex: C:\Program Files\FortifiedID\mgmt-center\data\customer\access
Append you globals with the following parameters and adjust them according to you needs
Append the translations file with the following translation
Append the selector with at reference to the new authenticator by appending this block to the default selector
Append the SAML Module with the new SAML SP configuration
Restart the Access service
Login to access your Microsoft Entra tenant
Find Enterprise application admin view
Click in the search field
Type Enterprise applications
Click Enterprise applications in result
Create an application
Click New application
Click Create your own application
Type a name, e.g. Fortified ID Integrity Access
Click Create
Configure your application
Under heading Getting Started
Under heading 1. Assign users and groups, click Assign users and groups
Click Add user/group
Select the users that should be able to login
Click Assign
Click Overview in settings for your applications
Under heading 2. Set up single sign on, click Get started
Click SAML if asked
Under Basic SAML Configuration click Edit
In Identifier (Entity ID) section
Click Add identifier In our example it is http://access.fortifiedid.se/entraidsp This is configurable in global parameter samlspbroker_entraid_spentityid.
In Reply URL (Assertion Consumer Service URL) section
Click Add reply URL In our example it is https://localhost:8443/access/authn/entraid Change the URL for localhost:8443 to your address. This value is concatenated from the global parameters default_login_location/default_login_suffix/entraid
Under Attributes & Claims click Edit (for this use case I have added two additional claims)
username < - > user.userPrincipalName The default installation is expecting the attribute username to be set, so this might not be necessary in your configuration.
Save value for "App Federation Metadata Url"
Click Overview for your Enterprise applications
Under heading 2. Set up single sign on, click Get started
Under heading SAML Certificates (section 3)
Copy value of App Federation Metadata Url and replace the value in Globals samlspbroker_entraid_metadata_url
Value look like https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml?appid=yyy xxx and yyy are unique values for your Entra tenant
Save value for "Microsoft Entra Identifier"
Click Overview for your Enterprise applications
Under heading 2. Set up single sign on, click Get started
Under heading Set up your app name (section 4)
Copy value of Microsoft Entra Identifier and replace the value in Globals samlspbroker_entraid_target_idp
Value look like https://sts.windows.net/zzz zzz is a unique value for your Entra tenant
The selector should now be displayed, including the new option for "Microsoft Entra ID".
Select "Microsoft Entra ID"
You will be redirected to the Microsoft Entra ID authentication
After a successful authentication you will be redirected back to the Access server and finally to the selected application or the Fortified ID test application.
Open a browser and browse to
Browse to a site protected by the Access server. Optionally the default login url might be used.