Generate eduPersonPrincipalName (eppn) and store in Entra ID

Scenario

To make authentication to DNP work, the IdP must send a eppn value to DNP. The eppn value must be unique for each individial over time.

In this scenario, Fortified ID will automate the generation of eppn for each individual and store the value on the user object in Entra ID.

We recommend using Forms for this configuration, although it may be added to Integrity/Access as well.

! This scenario could easily be copied and modified to fulfill other DNP eppn scenarios.

• Store the generated value in another user data source, such as Active Directory, Google, other LDAP or SQL.

Prerequisite

There are some prerequisite for this use case. You will need the following:

• Entra ID administration rights, including Attribute Assignment Administrator and Attribute Definition Administrator

• Outgoing TCP/443 communication. To be able to communicate with Entra ID (MS Graph API).

• Forms installed.

Download and add configuration

Remember that this use case does not describe installation of the product. Product is expected to be installed in advance.

1. Download ZIP containing configuration for Forms

   1. Click to download customer folder for Forms.

2. Add Forms configuration to your environment.

   1. Rename the existing customer folder to customer_ORG. Add the customer folder to your \..\fortifiedid\forms\ folder.

Update the Entra ID configuration

Create App Registration

• Login to Entra ID as an administrator

• Select App Registrations

• Click New Registration

• Enter a name of the app registration, Fortified ID eppn generator

• Select Accounts in this organizational directory only (<tenant_name> only - Single tenant)

• Register

• Click on the App Registration in the list

• Select API permissions

• Add permissions

  • Microsoft Graph->Application Permissions->User.ReadWrite.All

  • Microsoft Graph->Application Permissions->CustomSecAttributeAssignment.Read.All

  • Microsoft Graph->Application Permissions->CustomSecAttributeAssignment.ReadWrite.All

• In the Overview section, copy these values (they will be used in later steps):

  • Application (client) ID

  • Directory (tenant) ID

• Generate a keystore in p12 format.

  • Name the p12 file enterprise_app_keystore.p12

• Select Certificates & secrets

• Select Certificates

• Click Upload certificate

• Select the certificate file

• Click Save

Add custom security attribute for eppn (this part is only accessible from entra.microsoft.com)

• Select Custom attributes

• Select Add attribute set

• Name the set FortifiedID

• Click Add

• Click Add attribute

• Set Attribute name = eppn and Data type = string

Update the configuration to map to your environment

Place the file enterprise_app_keystore.p12 in the folder customer/config/resources/certificates/entra/. (Replace if a file already exists)

Open the file customer/config/globals.json. Change according to the instructions below.

1. EntraID

Set client_id and tenant_id to the values fetched in previous steps (Application (client) ID and Directory (tenant) ID)

.

Example:

"EntraID": {
        "tenant1": {
            "namespace": "tenant1",
            "client_id": "123-123-123-123-123-123",
            "tenant_id": "456-456-456-456-456-456"
        }
    },

1. keystore->MS_Entra_ID_tenant_1

Change the password (password) to the private key password of enterprise_app_keystore.p12.

Example:

"MS_Entra_ID_tenant_1": {
            "path": "${globals.file_paths.base_dir}/config/resources/certificates/entra/enterprise_app_keystore.p12",
            "password": "Summer2024f234",
            "type": "PKCS12"
        }

Save the file.

Test

Start the service.

Verify startup by viewing the log files. Any error - fix accordingly.

Check that your Entra ID accounts were updated with the eppn value.

NB!

The eppn automation job will run on startup and then every 10 minutes.

You can modify the schema interval in scheduler.json. Change the cron job syntax to suite your needs. "run_on_start": true, "schedule": "0 0/15 * * * ?",