Entra External - Support for eID (SAML)

Scenario

In this scenario, Microsoft Entra External (formerly known as Azure B2C), uses Fortified ID Access (Integrity) as an external SAML IdP to support authentication using a European eID. With this setup, it's possible to use eIDs such as BankID, SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi to perform authentication (sign in) and/or sign up to Entra External. We also have a use case where Fortified ID Access acts as an OIDC OP instead.

In the use case Foreign eID is used as the eID method and the Swedish test node at Sweden Connect that host a number of test users.

Working with an External IdP there are often two things to solve:

• Sign in (authenticate to a published application)

• Sign up (create an external account in the Entra External tenant)

In this use case we will describe Sign in. When it comes to Sign up there can be several way two solve that, for example:

• The users are already created.

• Use the build in Entra Sign up.

• The added application will handle this

• Fortified ID Access handles the creation of the account.

Contact us for more information regarding Sign up.

Prerequisite

There are some prerequisite for this use case. You will need the following:

• Fortified ID Access setup with eID of your choice

  • This use case assumes that you have Fortified ID Access set up to support authentication of users with an eID.

  • You have configured Fortified ID Access as an SAML IdP

• Entra ID

  • Entra External tenant

  • Administration tenant rights, e.g. Global administrator role

• Host (DNS) name of the Fortified ID Access service (external access)

Configuration of Entra External tenant

Login to your tenant

1. Browse to https://entra.microsoft.com/

2. Login to your Entra External tenant

Add Fortified ID Access as an SAML Identity Provider (IdP)

Prerequisite

1. You need to have Fortified ID Access running with one or more eID authenticators such as BankID, Freja or Foreign ID.

2. You need the XML metadata of your Fortified ID Access IdP available.

3. You need to have your IdP available on Internet so Entra can communicate with it.

Configuration at your Entra External tenant

1. Click Identity -> External identities -> All identity providers

2. Click Custom

3. Click Add new

4. Select SAML/WS-Fed

   1. Add a display name, I will use Fortified ID Access SAML IdP

   2. Choose SAML as protocol

   3. Add the domain name of your IdP

   4. For populating metadata I selected Parse metadata file

      1. Upload your Metadatafile

      2. The three fields below should auto populate based on your metadata file.

      3. In Metadata URL add your IdP URL if available.

5. Click Save

Add a User Flow

1. Click Identity -> External identities -> User flows

2. Click New user flow

   1. Add a display name, e.g. User_flow_for_FortifiedID_eID

   2. Click checkbox for your Identity provider, in this use case dev.fortifiedid.se

   3. Add the User attributes you like to use

3. Click Create

Register your app

Note. You can skip this step if you already have added your application.

For test we will use one of the example apps that is available in Entra which will run locally on your machine.

1. Click Identity -> External identities -> Applications

2. Click App registrations

   1. Add a Name, e.g. Test FortifiedID eID app (SPA/react)

   2. Leave Supported account types default

   3. Redirect

      1. Choose Single page-application (SPA)

      2. Add value http://localhost:3000/redirect

   4. Click Register

3. On the Test FortifiedID eID app (SPA/react) settings page

   1. Click Quickstart

   2. On the Customize your sign-in experience page, leave as default. At bottom click Continue

   3. On Add your sign-in to a sample app, click Single page application (SPA).

   4. Then click React

      1. Download sample app and unzip

      2. Install Node.js

      3. Run in cmd/terminal

      Copy

      cd SPA && npm install && npm start

      1. A browser should open and a page as below should present itself. This is a really basic app with focus onlhy on sign up and sign in.

      3. Close browser and shutdown app

Add app to your User flow

1. Click Identity -> External identities -> User flows

2. Click the user flow you created earlier, User_flow_for_FortifiedID_eID

   1. Click Applications

   2. Click + Add application

   3. Select and add your application Test FortifiedID eID app (SPA/react)

   4. If you like you can run Run user flow to verify your user flow

Configuration of Fortified ID Access SAML IdP

Overview

In summary, below will explain the authentication flow when doing sign in from Entra External. (as always, there are different ways of doing this depending of conditions.)

1. Fortified ID Access SAML IdP receives the authentication request from Entra External

   1. User is authenticated using for example BankID, Freja, Foreign ID. In example below I use Foreign ID.

   2. We extract data from authentication, for example personal identification number (personnummer)

   3. We make a query to Entra using the personal identification number

      1. Do the user exits? (if not we can create the user, not explained in this use case)

      2. We assume in this use case there is a user with this personal identification number already existing.

      3. We extract the Email address of the user

   4. We add the Email to the following two attributes

      1. mail (nameid in our SAML assertion)

      2. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

   5. We make an authentication response to Entra and the user is authenticated.

Prerequisite

1. You have Fortified ID Access installed and:

   1. Configured as an SAML IdP

   2. A selector with one or more eID methods installed

   3. SAML assertion pipe configured for Entra your External tenant

Add Entra ID module

Prerequisite

1. To be able to query Entra from an application you need to register your application in Entra. (this is similar to the application registration done above but in this case it is for Fortified ID Access. To login to Entra doing the query we will use a certificate generated in entra and for the application.

We need the Entra module to query Entra ID. Replace data below with your Entra tenant data.

1. Create a file called for example entra.json

2. Drop the file into folder: /../FortifiedID\mgmt-center\data\customer\access\config\modules

3. Add data below and save file

{
    "name": "EntraID",
    "config": {
        "namespace": "tenant1",
        "client_id": "your_client_id",
        "tenant_id": "your_tenant_id",
        "keystore": {
            "path": "${system.customer_home}/resources/your_certificate.p12",
            "password": "keystore_password",
            "type": "PKCS12"
        },
        "keystore_alias": "alias_name_of_your_choice",
        "keystore_password": "keystore_password"
    }
}

Assertion Pipe including valve to query Entra

You might already have an SAML Assertion pipe. Below is an example how it could look like. Add or use as an start to create your own. In example below, here are some notes

• We store personal identification number in Entra attribute faxNumber

• We collect some attribute data. The main interest is mail

• A couple of lines are disabled. You can use them to add a mail address of a user before start to query entra to verify it works. Change value to whatever the name is of your test user.

  • Copy

    "_value": "bernt.larsson@test.local",

{
    "id": "Retrieve_data_for_SAML_response_for_MS_Entra_FortifiedID_Tenant",
    "display_name": "SAML assertion for Microsoft Entra External tenant",
    "description": "SAML assertion for Microsoft Entra External tenant",
    "config": {
        "valves": [
            {
                "name": "DumpRequest",
                "config": {
                    "label": "*** DumpRequest****"
                }
            },
            {
                "name": "DumpExports",
                "config": {
                    "label": "*** DumpExports ****"
                }
            },
            {
                "name": "EntraIDListUsers",
		"enabled": true,
                "config": {
                    "namespace": "${globals.entraid_FortifiedIDExternalTest1_namespace}",
	            "filter": "startsWith(faxNumber,'{{{exports.prid}}}')",
                    "select": "otherMails,displayName,mail,id,userPrincipalName,faxNumber",
                    "id_property": "id",
                    "min": 1,
                    "max": 2
                }
            },
            {
                "name": "DumpState",
                "config": {
                    "label": "*** DumpState ***"
                }
            },
            {
                "name": "ExportsPut",
                "enabled": true,
                "config": {
                    "name": "mail",
                    "value": "{{{item.mail}}}",
                    "_value": "bernt.larsson@test.local",
                    "replace": true
                }
            },
            {
                "name": "ExportsPut",
                "enabled": true,
                "config": {
                    "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
                    "value": "{{{item.mail}}}",
		    "_value": "bernt.larsson@test.local",
                    "replace": true
                }
            },
            {
                "name": "DumpExports",
                "config": {
                    "label": "*** 3 - DumpExports från DumpData Portal****"
                }
            },
            {
                "name": "DumpState",
                "config": {
                    "label": "*** DumpState ***"
                }
            }
        ]
    }
}