Generate eduPersonPrincipalName (eppn) and store in Entra ID
Scenario
To make authentication to DNP work, the IdP must send a eppn value to DNP. The eppn value must be unique for each individial over time.
In this scenario, Fortified ID will automate the generation of eppn for each individual and store the value on the user object in Entra ID.
We recommend using Forms for this configuration, although it may be added to Integrity/Access as well.
! This scenario could easily be copied and modified to fulfill other DNP eppn scenarios.
Store the generated value in another user data source, such as Active Directory, Google, other LDAP or SQL.
Prerequisite
There are some prerequisite for this use case. You will need the following:
Entra ID administration rights, including Attribute Assignment Administrator and Attribute Definition Administrator
Outgoing TCP/443 communication. To be able to communicate with Entra ID (MS Graph API).
Forms installed.
Download and add configuration
Remember that this use case does not describe installation of the product. Product is expected to be installed in advance.
Download ZIP containing configuration for Forms
Click USE_CASE_LINK to download customer folder for Forms.
Add Forms configuration to your environment.
Rename the existing customer folder to customer_ORG. Add the customer folder to your \..\fortifiedid\forms\ folder.
Update the Entra ID configuration
Create App Registration
Login to Entra ID as an administrator
Select App Registrations
Click New Registration
Enter a name of the app registration, Fortified ID eppn generator
Select Accounts in this organizational directory only (<tenant_name> only - Single tenant)
Register
Click on the App Registration in the list
Select API permissions
Add permissions
Microsoft Graph->Application Permissions->User.ReadWrite.All
Microsoft Graph->Application Permissions->CustomSecAttributeAssignment.Read.All
Microsoft Graph->Application Permissions->CustomSecAttributeAssignment.ReadWrite.All
In the Overview section, copy these values (they will be used in later steps):
Application (client) ID
Directory (tenant) ID
Generate a keystore in p12 format.
Name the p12 file enterprise_app_keystore.p12
Extract the certificate chain from the keystore file, using this guide. This should result in a certificate file that will be used in next step.
Select Certificates & secrets
Select Certificates
Click Upload certificate
Select the certificate file
Click Save
Add custom security attribute for eppn (this part is only accessible from entra.microsoft.com)
Select Custom attributes
Select Add attribute set
Name the set FortifiedID
Click Add
Click Add attribute
Set Attribute name = eppn and Data type = string
Update the configuration to map to your environment
Place the file enterprise_app_keystore.p12 in the folder customer/config/resources/certificates/entra/. (Replace if a file already exists)
Open the file customer/config/globals.json. Change according to the instructions below.
EntraID
Set client_id and tenant_id to the values fetched in previous steps (Application (client) ID and Directory (tenant) ID)
.
Example:
keystore->MS_Entra_ID_tenant_1
Change the password (password) to the private key password of enterprise_app_keystore.p12.
Example:
Save the file.
Test
Start the service.
Verify startup by viewing the log files. Any error - fix accordingly.
Check that your Entra ID accounts were updated with the eppn value.
NB!
The eppn automation job will run on startup and then every 10 minutes.
You can modify the schema interval in scheduler.json. Change the cron job syntax to suite your needs. "run_on_start": true, "schedule": "0 0/15 * * * ?",
Last updated
