HomeManagement Center

Prereqs for eID and Entra integration

Overview

When integrating Entra (Workforce or External) with Fortified ID Access to enable authentication using BankID or Freja, some communication-related requirements must be addressed. This use case outlines the necessary steps. You need to:

  • Define a DNS name that Entra can use to locate Fortified ID Access, e.g. https://auth.companyname.se.

  • Configure your reverse proxy to expose the URIs provided by Access.

  • Adjust your firewall rules to ensure that Entra and Access can communicate with each other, and that Access can reach the required eID services.

  • Create a keystore for Entra to run Entra Graph API commands from Access.

Define a DNS name for Fortified ID Access

Define a DNS name that Entra can use to locate Fortified ID Access, e.g. https://auth.companyname.se.

Configure reverse proxy

A reverse proxy functionality should be configured in front of the Fortified ID server The reverse proxy should terminate the TLS traffic and forward the requests according to the pattern mentioned below. The following patterns should be proxied:

  • /oidc → 8443:/oidc

  • /access → 8443:/access

Configure firewall/communications

Incoming:

  • 443-TCP (https) for all clients (internet and internally)

  • See also “ Reverse proxy rules ”

Outgoing:

  • 443-TCP OIDC, BankID API, Fortified ID software distribution (internet)

Ports may differ in the target environment. If so, please adjust.

Keystores

OIDC OP:

  • No keystore needs to be created manually for OIDC. When you add an OIDC OP in the Management Center, a keystore is automatically generated for that OP. You can, of course, replace it with a keystore you have created yourself.

Entra Graph API:

Graph API is mainly used to check if a user exists in Entra? If the user does not exist, we can send the user after logging in to an account request page.

  • When Fortified ID Access executes Graph API commands, it connects to Entra using an application object defined in Entra. This application object requires a PFX/P12 keystore. Create a PFX/P12 keystore to be used for this purpose.

  • Extract the certificate chain from the keystore file, using this guide. This should result in a certificate file that will be used later.

PreviousMicrosoft EntraNextWorkforce - Use an eID as secondary login method

Last updated