Protect Entra ID (Azure AD) with eID MFA
Last updated
Last updated
In this scenario, Entra ID (formerly known as Azure Active Directory), use Integrity as an EAM (external authentication method). With this setup, it's possible to use eIDs such as BankID, SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi to perform MFA authentication to Entra.
With this setup, it is also possible to use eIDs to fulfill Entra Conditional Access policies.
In the use case described below, BankID is used as the eID method.
Integrity will perform a lookup against Entra to get the value of the mfa identifier (such as social security number).
The identifier of the result of the BankID authentication will be compared to the mfa identifier value, to verify that the step-up was performed by the correct person.
! This scenario could easily be copied and modified to fulfill:
Using other eID methods for MFA, such as SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi
There are some prerequisite for this use case. You will need the following:
BankID certificate. To be able to communicate with bankid backend.
Entra ID (Azure AD) administration rights. Azure P1 license, or higher.
Host (DNS) name of the Integrity service (external access)
Social security number (personnummer) stored on the Entra ID user object. The attribute name holding the value is also required.
Outgoing TCP/443 communication. To be able to communicate with BankID backend and Entra ID services.
Open the folder where you have installed Web
Rename the customer folder to customer_OLD. Result should look like below: \..\FortifiedID\web\customer_OLD
Unzip the file
Copy the customer_WEB folder to \..\FortifiedID\web\
Rename customer_WEB to customer, result should look like: \..\FortifiedID\web\customer
In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.
First of all, open the file customer/config/globals.json. Change according to the instructions below.
base_dir
base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
For Windows the value should be: "base_dir": "../customer"
For Docker, the value should be: "base_dir": ".",
host Set the host value to your DNS name entry, including https://. Set the oidc_op_address to the same value
http
Update the http information to map your environment. This is the port that Integrity Web will use to host the SAML IdP service. ! The recommendation is to always use SSL to encrypt the communication to Integrity Web.
keystore - https
Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.
Find in section: keystore
keystore - bankid
For connecting against BankID test environment, you don't need to do anything. For production connectivity, please use your BankID keystore and change the variables below to reflect that. Truststore changes will not be needed. Find in section: keystore
keystore - entra The keystore used for connecting to Entra ID, to perform a user lookup. For test environments, you may use the test certificate provided by us, if so you do not need to change anything. For production environments, you should use your own keystore and update the values below to point to that keystore.
keystore - oidc The keystore used to sign OpenID Connect tokens. For test environments, you may use the test certificate provided by us, if so you do not need to change anything. For production environments, you should use your own keystore and update the values below to point to that keystore.
entra The global settings for Entra will be added in a later step.
Save the globals.json file.
Start the service and verify the start by looking through the server.log file.
Login to Entra ID as an administrator
Select App Registrations
Click New Registration
Enter a name of the app registration, BankID EAM
Select Accounts in this organizational directory only (<tenant_name> only - Single tenant)
Add a redirect uri
Platform = web
Value = https://HOST/eam/authn/oidc
Change HOST to your DNS host name entry for Integrity.
Register
Click on the App Registration in the list
Select API permissions
Add these permissions:
In the Overview section, copy these values (they will be used in later steps):
Application (client) ID
Object ID
Directory (tenant) ID
Select Certificates & secrets
Select Certificates
Click Upload certificate
Select the certificate file
Click Save
Select Authentication methods
Click Add external method
Enter:
Name = BankID
Client ID = entra_mfa_client
Discovery endpoint = https://HOST/oidc/tenant1/.well-known/openid-configuration
Change HOST to your DNS host name entry for Integrity.
App ID = <The Application (client) ID value copied in previous step above.>
Save
Grant admin consent
Enable the external authentication method. For testing purposes, it is recommended to set the target only to specific test users.
Open the file customer/config/globals.json. Change according to the instructions below.
entra Set client_id = Application (client) ID copied in previous step Set tenant_id = Directory (tenant) ID copied in previous step Set mfa_identifier_attribute = The Entra user object attribute containing the social security number of the user. Example:
Save the file
Restart the Integrity service
Open a browser
Browse to a Azure resource which require MFA (such as portal.azure.com)
Enter your Entra username and password
You should now be prompted to fulfill MFA with an external method. Example:
You should be redirected to Integrity and then to Entra
Fulfill BankID authentication
You should now be redirected back to Entra. If successful, you have successfully fulfilled the MFA requirement and the Azure resource is presented.
Download the following ZIP-file, .
Extract the certificate chain from the keystore file referenced in the globals entra->ssl_keystore_path, . This should result in a certificate file that will be used in next step.
