Entra ID (Azure AD) with BankID as step-up-method

Scenario

In this scenario, the web resource DNP (Digitala Nationella Prov) will be protected by a SAML IdP (Integrity Web), using Skolfederationen as the integration layer.

Entra ID will be used for primary authentication. The integration between Integrity and Entra ID is federation-based (SAML2). Entra ID will pass user attributes necessary for DNP, and also an attribute (mfa_identifier) for the step-up verification to work.

Based on data passed in the initial SAML2 authnRequest from DNP to Integrity, a decision will be automatically made if the user should be prompted for step-up-authentication (BankID).

The identifier of the result of the BankID authentication will be compared to the mfa_identifier value, to verify that the step-up was performed by the correct person.

! This scenario could easily be copied and modified to fulfill other DNP login requirements:

• Other DIGG-certified LOA3 step-up methods, such as Freja, SITHS, EFOS, AB Svenska Pass

• Other primary authentication sources, such as Google, ADFS, AD, or a combination of many primary authentication sources.

Prerequisite

There are some prerequisite for this use case. You will need the following:

• BankID certificate. To be able to communicate with bankid backend.

• Entra ID (Azure AD) administration rights.

• Host (DNS) name of the Integrity service (external access)

• Access to Skolfederationen metadata administration. To be able to upload metadata

• eduPersonPrincipalName (eppn) stored on the Entra ID user object

• Social security number (personnummer) stored on the Entra ID user object (only for teachers (lärare/skolpersonal))

• Outgoing TCP/443 communication. To be able to communicate with BankID backend and metadata services.

Configuration

Follow these steps to setup the basic configuration. Once done, perform the steps below.

Update Entra to trust Integrity

Trust need to be established between the primary IdP (Entra) and the SP (Integrity Web).

Create Enterprise application and configure SSO

• Login to Entra ID as an administrator

• Select Enterprise applications

• Click New application

• Click Create your own application

• Enter a name of the app, Skolfederationen Integrity

• Select the option Integrate any other application you don't find in the gallery (Non-gallery)

• Create

• Click on the application in the list of applications

• In the Overview section, click 1.Assign users and groups

• Allow all users access to the application

• In the Overview section, click 2.Set up single sign on

• Select SAML as the single sign-on method

• Click Edit on the Basic SAML configuration

• On the Identifier part, click Add identifier

• Enter https://<your_integrity_dns_name>/saml/authn/integrity_skolfed_broker_sp

• On the Reply URL part, click Add reply URL

• Enter https://<your_integrity_dns_name>/saml/authn/integrity_skolfed_broker_sp

• Click Save.

• Example:

• Click Edit on the Attributes & claims

• Click Add new claim

• Enter a name, urn:oid:1.3.6.1.4.1.5923.1.1.1.6

• Select the source attribute, containing the eppn value on the user object in Entra.

• Example:

• Click Save

• Click Add new claim

• Enter a name, mfa_identifier

• Expand Claim conditions

• Select User type = Any, Scoped Groups = <select groups with teachers/skolpersonal>, Source = Attribute, Value = <select the source attribute containing "personnummer">

• Example:

• Click Save

Update Integrity to trust Entra

• In the Entra ID portal, select the application created in previous step

• Select 2. Setup Single sign-on

• In section 3. SAML Certificates, copy the App Federation Metadata URL value. This will be used in a later step.

• In section 4, copy the Microsoft Entra Identifier. This will be used in a later step.

• Open the file customer/config/globals.json

• Navigate to the saml part

• Set authenticating_idp_metadata to the App Federation Metadata URL value copied in previous step. Set authenticating_idp_entityid to the Microsoft Entra Identifier value copied in previous step.

  Copy

   "saml": { 
    "authenticating_idp_metadata": "https://login.microsoftonline.com/bf70b0ec-2b39-4a8e-a8e8-e3f55f4afbd4/federationmetadata/2007-06/federationmetadata.xml?appid=3fab144b-0db9-4236-979c-afb31b04e3f8",
    "authenticating_idp_entityid" : "https://sts.windows.net/bf70b0ec-2b39-4a8e-a8e8-e3f55f4afbd4/",
    "authenticating_idp_metadata_path": ""
   },

• Restart the Integrity service

Test the configuration

Login to DNP with step-up (lärare / skolpersonal)

1. Open a browser

2. Browse to https://fidustest.skolverket.se/DNP-staging/ (DNP test environment) or https://fidustest.skolverket.se/DNP/ (DNP production environment)

3. Select Inloggning med e-legitimation

4. Select your IdP

5. You should be redirected to Integrity and then to Entra

6. If already logged in to Entra, SSO should happen, otherwise enter your Entra credentials

7. You should be redirected back to Integrity and prompted with BankID authentication

8. Fulfill BankID authentication

9. You should now be redirected back to DNP. If successful, this should be presented.

Tip. Use a SAML tracer tool for your browser to view the data added.

Login to DNP without step-up (elev)

1. Open a browser

2. Browse to https://fidustest.skolverket.se/DNP-staging/ (DNP test environment) or https://fidustest.skolverket.se/DNP/ (DNP production environment)

3. Select Inloggning utan e-legitimation

4. Select your IdP

5. You should be redirected to Integrity and then to Entra

6. If already logged in to Entra, SSO should happen, otherwise enter your Entra credentials

7. You should be redirected back to Integrity and redirected back to DNP. If successful, this should be presented.