Protect Entra ID (Azure AD) with eID MFA

Scenario

In this scenario, Entra ID (formerly known as Azure Active Directory), use Integrity as an EAM (external authentication method). With this setup, it's possible to use eIDs such as BankID, SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi to perform MFA authentication to Entra.

With this setup, it is also possible to use eIDs to fulfill Entra Conditional Access policies.

In the use case described below, BankID is used as the eID method.

Integrity will perform a lookup against Entra to get the value of the mfa identifier (such as social security number).

The identifier of the result of the BankID authentication will be compared to the mfa identifier value, to verify that the step-up was performed by the correct person.

! This scenario could easily be copied and modified to fulfill:

• Using other eID methods for MFA, such as SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi

Prerequisite

There are some prerequisite for this use case. You will need the following:

• BankID certificate. To be able to communicate with bankid backend.

• Entra ID (Azure AD) administration rights. Azure P1 license, or higher.

• Host (DNS) name of the Integrity service (external access)

• Social security number (personnummer) stored on the Entra ID user object. The attribute name holding the value is also required.

• Outgoing TCP/443 communication. To be able to communicate with BankID backend and Entra ID services.

Configuration

Download and extract configuration files

1. Open the folder where you have installed Web

   1. Rename the customer folder to customer_OLD. Result should look like below: \..\FortifiedID\web\customer_OLD

2. Download the following ZIP-file, use_case_entra_mfa_bankid.zip.

   1. Unzip the file

   2. Copy the customer_WEB folder to \..\FortifiedID\web\

   3. Rename customer_WEB to customer, result should look like: \..\FortifiedID\web\customer

Update configuration to map your environment

Globals

In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.

First of all, open the file customer/config/globals.json. Change according to the instructions below.

1. base_dir

   1. base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.

      1. For Windows the value should be: "base_dir": "../customer"

      2. For Docker, the value should be: "base_dir": ".",

   Copy

   "base_dir": "../customer"

2. host Set the host value to your DNS name entry, including https://. Set the oidc_op_address to the same value

   Copy

   "host": "https://be4f-194-68-171-97.ngrok-free.app",
   .
   .
   .
   "oidc_op_address": "https://be4f-194-68-171-97.ngrok-free.app"

3. http

   Update the http information to map your environment. This is the port that Integrity Web will use to host the SAML IdP service. ! The recommendation is to always use SSL to encrypt the communication to Integrity Web.

   Copy

    "http": {
               "http_port": 443,
               "http_use_ssl": true
           }

4. keystore - https

   Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.

   1. Find in section: keystore

      Copy

      "https": {
                      "ref": {
                          "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12",
                          "password": "password"
                      },
                      "http_key_alias": "1",
                      "http_key_password": "password"
                  },

5. keystore - bankid

   For connecting against BankID test environment, you don't need to do anything. For production connectivity, please use your BankID keystore and change the variables below to reflect that. Truststore changes will not be needed. Find in section: keystore

   Copy

              "bid": {
                   "ssl_keystore_path": "${globals.base_dir}/config/resources_internal/certificates/BankID/bankid_test_rp.p12",
                   "ssl_keystore_password": "qwerty123",
                   "ssl_key_alias": "1",
                   "ssl_key_password": "qwerty123",
                   "ssl_truststore_path": "${globals.base_dir}/config//resources_internal/certificates/trust_jks/bankidtrust.jks",
                   "ssl_truststore_password": "password"
               },

6. keystore - entra The keystore used for connecting to Entra ID, to perform a user lookup. For test environments, you may use the test certificate provided by us, if so you do not need to change anything. For production environments, you should use your own keystore and update the values below to point to that keystore.

   Copy

               "entra": {
                   "ssl_keystore_path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12",
                   "ssl_keystore_password": "password"
               },

7. keystore - oidc The keystore used to sign OpenID Connect tokens. For test environments, you may use the test certificate provided by us, if so you do not need to change anything. For production environments, you should use your own keystore and update the values below to point to that keystore.

   Copy

               "oidc": {
           	    "alias": "1",
            	    "key_password": "password",
            	    "password": "password",
          		    "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12"
               }

8. entra The global settings for Entra will be added in a later step.

Save the globals.json file.

Start the Integrity WEB service

Start the service and verify the start by looking through the server.log file.

Add Integrity as an Entra external authentication method (EAM)

Create App Registration

• Login to Entra ID as an administrator

• Select App Registrations

• Click New Registration

• Enter a name of the app registration, BankID EAM

• Select Accounts in this organizational directory only (<tenant_name> only - Single tenant)

• Add a redirect uri

  • Platform = web

  • Value = https://HOST/eam/authn/oidc

    • Change HOST to your DNS host name entry for Integrity.

• Register

• Click on the App Registration in the list

• Select API permissions

• Add these permissions:

• In the Overview section, copy these values (they will be used in later steps):

  • Application (client) ID

  • Object ID

  • Directory (tenant) ID

• Extract the certificate chain from the keystore file referenced in the globals entra->ssl_keystore_path, using this guide. This should result in a certificate file that will be used in next step.

• Select Certificates & secrets

• Select Certificates

• Click Upload certificate

• Select the certificate file

• Click Save

Add external authentication method

• Select Authentication methods

• Click Add external method

• Enter:

  • Name = BankID

  • Client ID = entra_mfa_client

  • Discovery endpoint = https://HOST/oidc/tenant1/.well-known/openid-configuration

    • Change HOST to your DNS host name entry for Integrity.

  • App ID = <The Application (client) ID value copied in previous step above.>

• Save

• Grant admin consent

• Enable the external authentication method. For testing purposes, it is recommended to set the target only to specific test users.

Update Integrity with Entra ID values

• Open the file customer/config/globals.json. Change according to the instructions below.

  1. entra Set client_id = Application (client) ID copied in previous step Set tenant_id = Directory (tenant) ID copied in previous step Set mfa_identifier_attribute = The Entra user object attribute containing the social security number of the user. Example:

  Copy

    "entra": {
              "client_id": "3d970wwc4-cb9c-yyy-xxx-55f574a7ae41",
              "tenant_id": "bf70sas0ec-fsad-456g-345-dfgdfgd43",
              "mfa_identifier_attribute": "extensionAttribute13"
          },

• Save the file

• Restart the Integrity service

Test the configuration

Login to an Entra resource with BankID as the MFA method

• Open a browser

• Browse to a Azure resource which require MFA (such as portal.azure.com)

• Enter your Entra username and password

• You should now be prompted to fulfill MFA with an external method. Example:

• You should be redirected to Integrity and then to Entra

• Fulfill BankID authentication

• You should now be redirected back to Entra. If successful, you have successfully fulfilled the MFA requirement and the Azure resource is presented.