External - Use an eID as primary login method

Scenario

Note. In this scenario a European eID will be the primary login method. No authentication is done using Entra credentials.

Microsoft Entra External can use Fortified ID Access as an external OpenID Connect Open Provider (OIDC OP) to enable authentication with European eIDs or any other authentication method supported by Fortified ID Access.

With this setup, users can authenticate (sign in) or register (sign up) to Entra External using eIDs such as BankID, SITHS, EFOS, Freja eID, Norwegian ID-porten, Foreign eID (eIDAS), or Suomi.fi.

In this scenario, Entra External acts as an OIDC Relying Party (RP) and Fortified ID Access acts as the OIDC Provider (OP).

Sign-In and Sign-Up Scenarios

When integrating Entra External with an external IdP, two things need to be addressed:

1. Sign-in – authenticating an existing federated Entra user account.

2. Sign-up – creating a new Entra account based on external authentication.

This use case focuses only on the sign-in scenario. Note. The account sign-up/created in Entra needs to have some attribute containing data to map data from authentication. For example, if Swedish BankID is used then date of birth/personnummer need to be present on the Entra user object.

Federated Accounts in Entra External

Users signing in to Entra External must have an existing federated account in Entra. When using an external IdP for authentication, the Entra account must be of the federated type.

Accounts created through Entra’s Sign-up feature while using an external IdP are automatically configured as federated.

Federated user accounts can also be created programmatically using the Microsoft Graph API.

Note: It is not possible to create federated users directly from the Entra UI.

If you already have existing native Entra External users (non-federated), you can migrate them to federated using the Graph API.

This process can also be automated using Fortified ID Automate.

Prerequisite

There are some prerequisite for this use case. You will need the following:

• Fortified ID Access - OIDC Provider object

  • This use case assumes that you have Fortified ID Access configured to support authentication of users with an eID.

  • You have configured Fortified ID Access as an OIDC OP, note comments below:

    • Entra requires that Enable Refresh Token and Reuse Refresh Token are enabled.

    • Following three OIDC scopes are added openid, profile and email

• Fortified ID Access - OIDC Relying Party object

  • Redirect URI for Entra External. This can be a bit tricky to figure out. The way you do it is to configure the Entra External part of this use case and then the Fortified ID Access OIDC Provider object. Then login will work at Fortified ID Access and the log file will tell you the Redirect URI. There is no way, to our knowledge, in Entra UI to get the Redirect URI. You can always reconstruct it using your tenant ID:

    https://<tenant>.ciamlogin.com/<tenant-ID>/federation/oauth2

    (Replace <tenant> and <tenant-ID> with your values from Tenant properties.)

  • The only claims type to configure is the ID Token claim (id_token_claims). There is no need of access_token_claim or userinfo_claims

• Entra ID

  • Entra External tenant

  • Administration tenant rights, e.g. Global administrator role

  • All users who will log in with an external IdP as the first method need to have account type federated. See earlier in this use case how users can become federated.

• Host (DNS) name of the Fortified ID Access OP service (external access)

Configure your Entra External tenant

In summary, you create a connection to the external IdP, you create a user flow, and you register your application. The user flow is what links your application with the external IdP.

1. Login to your tenant

1. Browse to https://entra.microsoft.com/

2. Login to your Entra External tenant

2. Add Fortified ID Access as an OIDC Open Provider (OP)

Configure Fortified ID Access as an OIDC External OP

1. Click Identity -> External identities -> All identity providers

2. Click Custom

3. Click Add new

4. Select Open ID Connect

5. In the Basics tab. (on this tab you add data so Entra can find your OIDC OP) Below are example values to guide your configuration. Make sure to replace these with the actual values from your setup. You will find the necessary configuration data in two OIDC objects in Management Center for Access: - OIDC Provider object used by Entra - OIDC Relying Party object created for Entra

   1. Display Name: Example: Fortified ID Access OIDC OP (You can choose any appropriate name.)

   2. Well-Known Endpoint: Your Provider object in Access -> General -> Discovery Endpoint Example: https://dev.fortifiedid.se/oidc/tenant1/.well-known/openid-configuration

   3. Issuer URI: Execute the Well-Known Endpoint URL and use the value for discovery metadata issuer. Example: https://dev.fortifiedid.se/oidc/tenant1

   4. Client ID: Your Relying Party object -> General -> Client ID Example: test_oidc_app

   5. Client Authentication Method: Select: client_secret

   6. Client Secret: Your Relying Party object -> General -> Client Secret Enter your configured client secret.

   7. Scope: Use: openid

   8. Response Type: Select: code

6. On the Claims mapping tab.

   1. Keep the default claims in Entra External admin

   2. Verify on your Relying Party object -> ID Token tab that claims map what Entra is expecting.

7. Click Review the configuration

8. Click Create

3. Register your app

Note. Before you continue, you need to register your application in Entra. At the end of this document we show how to register and use one of the example apps available in Entra. See section, "Extra. Register an Entra example application"

4. Add a User Flow

1. Click Identity -> External identities -> User flows

2. Click New user flow

   1. Add a display name, e.g. User_flow_for_FortifiedID_eID

   2. Click checkbox for your Identity provider, in this use case dev.fortifiedid.se

   3. Add the User attributes you like to use

3. Click Create

5. Add your application to your the user flow

1. Click Identity -> External identities -> User flows

2. Click the user flow you created earlier, User_flow_for_FortifiedID_eID

   1. Click Applications

   2. Click + Add application

   3. Select and add your application, e.g. Test FortifiedID eID app (SPA/react)

Extra. Register an Entra example application

Note. You can skip this step if you already have added your application.

For test we will use one of the example apps that is available in Entra which will run locally on your machine.

1. In your Entra ID External tenant

2. Click Entra ID -> App registrations

   1. Add a Name, e.g. Test FortifiedID eID app (SPA/react)

   2. Leave Supported account types default

   3. In Redirect URI (optional)

      1. Choose Single page-application (SPA)

      2. Add value http://localhost:3000/redirect

   4. Click Register

3. On the Test FortifiedID eID app (SPA/react) settings page

   1. Click Quickstart

   2. On the Customize your sign-in experience page, leave as default. At bottom click Continue

   3. On the Try out your sign-up experience page, leave as default. At bottom click Continue

   4. On Add your sign-in to a sample app page, click Single page application (SPA).

   5. Then click React

      1. Download sample app and unzip

      2. Install Node.js

      3. Run in cmd/terminal

      1. A browser should open and a page as below should present itself. This is a really basic app with focus only on sign up and sign in.

      2. 
      3. Close browser and shutdown app