Documentation

 

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Recently, Microsoft added a function to Conditional Access called custom controls. Custom controls allow third-party integration into Conditional Access. This process involves having a registered application by the third party to be white-listed allowed globally by Microsoft and then providing OpenID Connect (OIDC) endpoints for use by the Azure customer to call out to the third party's authorization process.

...


...

SecureAuth IdP configuration steps

Create a SecureAuth IdP realm and configure it for use with Microsoft Conditional Access.

Configure Internet Information Server (IIS) for Windows Server 
Anchor
iis
iis

1. Log into your SecureAuth IdP Admin console.

...

A custom pre-authentication page is used to retrieve the user ID from Microsoft for this request. Microsoft sends a HTTP POST with the OIDC parameters and an additional parameter called id_token_hint. This parameter includes a JSON web token (JWT) and a number of claims, including the unique ID for the user and their user principal name (UPN). SecureAuth IdP must obtain that information and validate the JWT.

3. Using the IIS Manager, create an inbound rule for Conditional Access in this new realm by completing the following steps:

...


For more information about the URL rewrite rule, see the Creating Rewrite Rules for the URL Rewrite Module article, on the Microsoft website.

4. Using the IIS Manager, change the query string setting for the SecureAuth realm number (for example, SecureAuth3). 

    1. In the IIS Manager, focus on the appropriate realm.
    2. Right-click Request Filtering and select Open Feature .
    3. Select the Query Strings tab.
    4. On the right side of the page, click Edit Feature Settings.
    5. Set  Maximum URL length (Bytes) to 6144.
    6. Set Maximum query string (Bytes) to 4096.
    7. Click OK to save the changes.
      Image Added

Data tab

...

settings 
Anchor
data
data

1. Select the Data tab.

52. Create a connection based on the data store type, such as Active Directory or SQL Server.

...

b. In the Global Aux Fields section, designate Global Aux ID 1 as Validated.

Workflow tab settings

6. Select the Workflow tab.

a1. In the Login Screen Options section, set the following values:

      • Set Default Workflow to Username | Second Factor.
      • Set Public/Private Mode to Public Mode Only.

b2. In the Customer Identity Consumer section, set the following values:

      • Set Receive Token to Token.
      • Leave other fields set to the default.

Multi-Factor Methods tab settings

7. Select the Multi-Factor Methods tab.

a1. In the Phone Settings section, configure the Multi-Factor Authentication methods that you want enabled. The following example shows how to set the email and text (SMS) methods.

      • Set Phone Field 1 to One-Time Passcode via Phone Call and SMS.
      • Set Phone Field 2 to One-Time Passcode via Phone Call and SMS.

b2. In the Email Settings section, set Email Field 1 to One-Time Passcode via HTML Email.

Post Authentication tab settings

8. Select the Post Authentication tab.

a1. In the Post Authentication section, set the Authenticated User Redirect dropdown to OpenID Connect/OAuth2.

b2. In the User ID Mapping section, set the following values:

      • Set User ID Mapping to Authenticated User ID. Map other parameters, if needed.
      • Set Name ID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

      • Set Encode to Base64 to False.

c3. In the OpenID Connect/OAuth 2.0 – Settings section, set the following values:

      • Set Enabled to True.
      • Set Issuer to the fully qualified domain name (FQDN)/Hostname of the IdP appliance, for example, idp.company.com. This must be publicly facing and have a valid SSL certificate.
      • Set Signing Algorithm to either RSA SHA256 (RS256) or HMAC SHA256 (HS256).
        • RSA SHA256 (RS256)  is an asymmetric algorithm, which means it uses a public/private key pair. SecureAuth uses the private key for signing and provides you with the public key to use to validate the signature.
        • HMAC SHA256 (HS256)  is a symmetric algorithm, which means one secret key is shared between SecureAuth and the end-user. The same key is used to create the signature and to validate it. This key must be kept secret at all times. 
      • Set Signing Cert to any certificate that is a private key readable by SecureAuth IdP. Do not use wild cards in a certificate.
      • Set Auto Accept User Consent to True to provide a clean user experience.
      • Set Enable User Consent Storage to True to provide a clean user experience and to enable check session endpoints.
      • Set Consent Storage Attribute to the AUX ID 2 value that was mapped to a string attribute in step 7a (for , for example, otherLoginWorkstations).

Leave the following fields set to the default:

        • Authorization Code Lifetime
        • Access Token Lifetime
        • Refresh Token Lifetime

d4. In the OpenID Connect/OAuth 2.0 – Scopes section, set the Discoverable check box for the openid scope.

e.  Anchorstep11estep11eIn the 5. In the OpenID Connect/OAuth 2.0 – Clients section, click the Add Client button .and set the following values: 

Anchor
clientid
clientid

      • Set Name to ConditionalAccess or another appropriate name.
      • Set Client ID to the appropriate client ID for this client.
      • Set the Enabled/Disabled check box.

f6. In the OpenID Connect/OAuth 2.0 - Client Details section, set the following values:

      • Set Enabled to True.
      • Set Name to ConditionalAccess or another appropriate name.
      • Set JSON Web Encryption to Disabled.
      • Set JSON Web Key URI to Blank.

g7. In the Allowed Flows section, set the following values:

      • Set Authorization Code to True.
      • Set Implicit to True.
      • Set Hybrid to False.
      • Set Client Credentials to False.
      • Set Resource Owner to False.
      • Set Refresh Token to True.
      • Set Introspection to True.
      • Set Revocation to True.

h8. In the OpenID Connect/OAuth 2.0 - Client Redirect URIs section, click the Add Redirect URI button and set the Client Redirect URI to
https://login.microsoftonline.com/common/federation/OAuth2ClaimsProvider

i9. In the OpenID Connect/OAuth 2.0 – Claims section, set the following values:

      • Set Sub to the AUX ID field assigned the userPrincipalName value , as shown in step 5athat was set on the Data tab, where Aux ID 5, where AuxID5 is set to otherIpPhone.
      • Set Select the Discoverable check box.

j10. In the OpenID Connect/OAuth 2.0 – Custom Claims section, click the Add Custom Claim button and set the following values:

      • Set Claim to SecureAuthMFA.
      • Set Profile Property to Global Aux ID 1.
      • Set the Discoverable check box.

System Info tab settings

9. Select the System Info tab.

1. In the Links section at the bottom of the screen,

...

 click Click to edit Web Config file to edit the web.config file.

2. Add the following key under the <appSettings> section:

<add key="MSConditionalAccess-ProfileField" value="AuxID5" />

For information about editing the web.config file, see the System Info Tab Configuration document.

...

UI Text Box
sizemedium
typeinfo

Save all changes made to this configuration and exit.


...

Configure Microsoft Custom

...

Control 
Anchor
mscontrol
mscontrol

Create and configure a new custom control for Microsoft Conditional Access.

...

7.  Enter the JSON provided by SecureAuth Support, then click Save. (Contact SecureAuth Support per the Prerequisites steps, if you did not already request this information.)

Image Removed

Image Added

Configure the JSON file as follows, using the above image as a guide:

    1. Set AppId to the data application referenced by Microsoft.
    2. Set ClientId by retrieving the designated realm located under the Post Authentication tab, in the OpenID Connect/OAuth 2.0 - Clients section.
    3. Set DiscoveryUrl to the OpenID configuration for the designated realm.

For your convenience, copy the following code snippet into the JSON file and change values appropriately:

{
   "Name": "Name for SecureAuth MFA",
   "AppId": "Microsoft data App ID",
   "ClientId": "SecureAuth ClientID",
   "DiscoveryUrl": "https://SecureAuthURL/secureauthXX/.well-known/openid-configuration",
   "Controls":
    [
       {
           "Id": "SecureAuthIdP",
           "Name": "SecureAuthIdP",
           "ClaimsRequested":
           [           
              {
                "Type": "SecureAuthMFA",
                "Value": "Validated",
                "Values": null
              }
           ]
       }
   ]
}


...

Create a Policy

Create a Microsoft Conditional Access policy.

...