Documentation

 

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Overview 

Microsoft has a feature in their Azure stack called Conditional Access. This feature allows Azure customers to apply policies to either the log-in process to Office 365 or specific apps and tiles within Office 365/Azure. Using this feature, Azure customers can restrict access to applications, such as Outlook, SharePoint, and others, based on several different factors.

Recently, Microsoft added a function to Conditional Access called a 'custom control'. These custom called custom controls. Custom controls allow third-party integration into Conditional Access. This process involved involves having a registered application by the third - party to be white-listed allowed globally by Microsoft and then providing OpenID Connect (OIDC) endpoints for use by the Azure customer to call out to the third - party's authorization process.


...

Anchor
Intended Audience
Intended Audience

...

Audience

This guide is intended for those end-users and customers who require information on installing and configuring administrators who need to install and configure Microsoft Conditional Access for use with SecureAuth IdP.


...

Anchor
Prerequisites
Prerequisites
Prerequisites

Before configuring this, you must have completed You must ensure that you have the following items:

  • Have administrative access of Microsoft Azure
  • Have installed Install a SecureAuth IdP appliance and configured version 9.1 or 9.2 and configure one or more realms for that appliance Have Internet Information Services (IIS) for Windows Server installed and configured
  • If you are interested in this integration, contact support@secureauth.com, open a support ticket, and mention "Tailoring - Conditional Access"

 

Configuring SecureAuth IdP

To configure SecureAuth IdP for use with Microsoft Conditional Access, perform the following procedure:

  1. Log into your SecureAuth IdP Web Admin Console.

...

...

  • Configure the following tabs in the Secure Auth IdP Web Admin

...

  • console before configuring any other tabs:
    • Overview: Define the description of the realm and SMTP connections
  • must be defined
    • .
    • Data:
  • an
    • An enterprise directory must be integrated with SecureAuth IdP.
    • Workflow:
  • the way in which
    • Define how users access the target
  • must be defined
    • .
    • Multi-Factor Methods: Define the Multi-Factor Authentication methods that are used to access the target
  • (
    • , if any
  • ) must be defined

The new realm is significantly customized starting with Step 6.

...


...

SecureAuth IdP configuration steps

Create a SecureAuth IdP realm and configure it for use with Microsoft Conditional Access.

Configure Internet Information Server (IIS) for Windows Server 
Anchor
iis
iis

1. Log into your SecureAuth IdP Admin console.

2. Copy the ASPX and code-behind pages then copy them under the root of the newly-defined realm, which is located in D:\SecureAuth\SecureAuthRealm_number, for example, D:\SecureAuth\SecureAuth5

(Contact SecureAuth Support per the Prerequisites steps, if you did not already request the ASPX and code-behind pages.)

A custom pre-authentication page is used to retrieve the user ID from Microsoft for this request. Microsoft sends a HTTP POST with the OIDC parameters and an additional parameter called id_token_hint. This parameter is includes a JSON web token (JWT) and a number of claims, including the unique id ID for the user and their user principal name (UPN. We need to grab ). SecureAuth IdP must obtain that information and validate the JWT.

53. Using the IIS Manager, create an inbound rule for Conditional Access in this new realm by completing the following this proceduresteps:

    1. Start the IIS Manager (Start | Run then type inetmgr and hit Enter): Open Run, type inetmgr, and click Enter.
    2. In IIS, select the Default Web Site.
    3. Under Features View, click click URL Rewrite.
    4. At right hand side, under the Actions pane, click on ImportRules.
    5. Set an inbound rewrite rule under the realm folder (for example, SecureAuth3) as shown in Figure 1.

Image Modified
Anchor_bookmark4_bookmark4FIGURE 1. Edit Inbound Rule 1The URL rewrite rule

...

, shown in the following image, captures requests and

...

places them on the custom page

...

to decode the JWT that Microsoft sends over VIA POST

...

.

Image Modified

...

For more

...

information about the URL rewrite rule,

...

6. Return to the newly-defined realm in IdP Web Admin Console and click the Data tab.

...

see the Creating Rewrite Rules for the URL Rewrite Module article, on the Microsoft website.

4. Using the IIS Manager, change the query string setting for the SecureAuth realm number (for example, SecureAuth3). 

    1. In the IIS Manager, focus on the appropriate realm.
    2. Right-click Request Filtering and select Open Feature .
    3. Select the Query Strings tab.
    4. On the right side of the page, click Edit Feature Settings.
    5. Set  Maximum URL length (Bytes) to 6144.
    6. Set Maximum query string (Bytes) to 4096.
    7. Click OK to save the changes.
      Image Added

Data tab settings 
Anchor
data
data

1. Select the Data tab.

2. Create a connection based on the data store type (, such as Active Directory or SQL Server) in this manner:

a. Scroll down to the 'Set Profile Fields' section and make the following designations:

...

.

Image Added

a. In the Profile Fields section, set the following auxiliary values:

      • Anchor
        aux1
        aux1
        Aux ID 1 – userPrincipalName 
      • Anchor
        aux2
        aux2
        Aux ID 2 – otherLoginWorkstations
      • Anchor
        aux5
        aux5
        Aux ID 5 – otherIpPhone and make it writable. (This field is set from custom pre-authentication page - – MSConditionalAccess.aspx.vb)
      • Go to the Web.Config file for this specific realm and add this line to modify the AuxID 5 definition:

...

Image Modified

...

b. Scroll down to the 'In the Global Aux Fields' section and designate  section, designate Global Aux ID 1 as  as Validated.

Image Modified FIGURE 4. Global Aux Fields Section

8. Click to select the Workflow tab and perform the following tasks:

a. In the 'Login Screen Options' section, assign the following values to the designated fields.

...

Workflow tab settings

Select the Workflow tab.

1. In the Login Screen Options section, set the following values:

      • Set Default Workflow to Username | Second Factor.
      • Set Public/Private Mode  to Public Mode Only.

Image Modified FIGURE 5. Login Screen Options

b. In the '2. In the Customer Identity Consumer' section section, perform set the following taskvalues:

      • Set Receive Token  to Token.
      • Leave other fields as set to the default.

Image Modified FIGURE 6. Custom Identity Consumer

...

Multi-Factor

...

Methods tab settings

Select the Multi-Factor Configuration page and supply the following values Methods tab.

a. Scroll to the 'Phone Settings' section and supply the following values to the designated fields:

...

1. In the Phone Settings section, configure the Multi-Factor Authentication methods that you want enabled. The following example shows how to set the email and text (SMS) methods.

      • Set Phone Field 1 to One-Time Passcode via Phone Call and SMS.
      • Set Phone Field 2 – select  to One-Time Passcode via Phone Call and SMS.

Image Modified FIGURE 7. Phone Settings Section

b. Scroll down to the 'Email Settings' section and supply the following value to the designated field:

...

2. In the Email Settings section, set Email Field 1 to One-Time Passcode via HTML Email.

Image Modified FIGURE 8. Email Settings Section

10. Click the Post Authentication tab then supply the following values to the designated fields:

a. Select OpenIDConnect/OAuth2 from the 'Authenticated User Redirect' drop-down field as shown in Figure 9.

...

Post Authentication tab settings

Select the Post Authentication tab.

1. In the Post Authentication section, set the Authenticated User Redirect dropdown to OpenID Connect/OAuth2.

2. In the User ID Mapping section, set the following values:

      • Set User ID Mapping – select  to Authenticated User ID. The user can choose to map Map other parameters, if needed.
      • Set Name ID Format

        – select

         to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

      • Set Encode to Base64 – select  to False.

Image Modified Anchor_bookmark6_bookmark6FIGURE 9. User ID Mapping Section

b. Scroll down to the '3. In the OpenID Connect/OAuth 2.0 – Settings' section and provide  section, set the following values:

      • Enable - Set Enabled to True.
      • Set Issuer - Should be the FQDN to the fully qualified domain name (FQDN)/Hostname of the IdP appliance, for example, idp.company.com. This must be publicly facing and have a valid SSL certificate.
      • Set Signing Algorithm - Can be either  to either RSA SHA256 (RS256) or  or HMAC SHA256 (HS256).
          Signing Cert - Can use
          • RSA SHA256 (RS256)  is an asymmetric algorithm, which means it uses a public/private key pair. SecureAuth uses the private key for signing and provides you with the public key to use to validate the signature.
          • HMAC SHA256 (HS256)  is a symmetric algorithm, which means one secret key is shared between SecureAuth and the end-user. The same key is used to create the signature and to validate it. This key must be kept secret at all times. 
        • Set Signing Cert to any certificate that is a private key readable by SecureAuth IdP. Do not use wild cards in a certificate.
        • Set Auto Accept User Consent - True. This provides a cleaner  to True to provide a clean user experience.
        • Set Enable User Consent Storage - True. This provides a cleaner user experience and enables  to True to provide a clean user experience and to enable check session endpoints.
        • Set Consent Storage Attribute - The  to the AUX ID 2 value that was mapped to a string attribute (for , for example, otherLoginWorkstations).

Leave the following fields set to the default: '

        • Authorization Code Lifetime

...

        • Access Token Lifetime

...

        • Refresh Token Lifetime

...

...

Image Added

4. In the OpenID Connect/OAuth 2.0 – Scopes' section and provide the following value:

...

 section, set the Discoverable check box for the openid scope.

Image Modified Anchor_bookmark8_bookmark8FIGURE 11. OIDC - Scopes Settings

d. Scroll down to the '5. In the OpenID Connect/OAuth 2.0 – Clients' section section, click the the Add Client button then supply  Client button and set the following values: 

...

Anchor
clientid
clientid

      • Set Name to ConditionalAccess or another appropriate name.
      • Set Client ID

...

      •  to the appropriate client ID for this client.
      • Set the Enabled/Disabled

...

      •  check box.

Image Modified FIGURE 12. OIDC - Clients Settings

e. Scroll down to the '6. In the OpenID Connect/OAuth 2.0 - Client Details' section and provide  section, set the following values in the designated fields:

      • Set Enabled  to True.
      • Name – Set to an appropriate name such as ConditionalAccess
      • Set Name to ConditionalAccess or another appropriate name.
      • Set JSON Web Encryption to Disabled.
      • Set JSON Web Key URI Blank

...

      • to Blank.

Image Modified Anchor_bookmark10_bookmark10 OIDC - Client Details

f. Scroll down to the 'Allowed Flows' section and provide the following values in the designated fields:

      • Authorization Code – True
      • Implicit – True
      • Hybrid – False
      • Client Credentials – False
      • Resource Owner – False
      • Refresh Token – True
      • Introspection – True
      • Revocation – True

Image Removed

FIGURE 14. Allowed Flows Section

g. Scroll down to the '7. In the Allowed Flows section, set the following values:

      • Set Authorization Code to True.
      • Set Implicit to True.
      • Set Hybrid to False.
      • Set Client Credentials to False.
      • Set Resource Owner to False.
      • Set Refresh Token to True.
      • Set Introspection to True.
      • Set Revocation to True.

Image Added

8. In the OpenID Connect/OAuth 2.0 - Client Redirect URIs' section and provide the following value: section, click the Add Redirect URI button and set the Client Redirect URI

...

to
https://login.microsoftonline.com/common/federation/OAuth2ClaimsProvider

Image Modified

...

h. Scroll down to the '9. In the OpenID Connect/OAuth 2.0 – Claims' section and supply this value section, set the following values:

      • Set Sub

...

      •  to the AUX ID field assigned

...

Image Removed
FIGURE 16. OIDC - Claims Section

...

      • the userPrincipalName value that was set on the Data tab, where Aux ID 5, where AuxID5 is set to otherIpPhone.
      • Select the Discoverable check box.

Image Added

10. In the OpenID Connect/OAuth 2.0 – Custom Claims' section and assign  section, click the Add Custom Claim button and set the following values:

...

      • Set Claim  to SecureAuthMFA.
      • Set Profile Property  to Global Aux ID 1.
      • Discoverable – Checked

...

      • Set the Discoverable check box.

Image Modified FIGURE 17. OIDC - Custom Claims Section

...

System Info tab settings

Select the System Info tab.

1. In the Links section at the bottom of the screen, click Click to edit Web Config file to edit the web.config file.

2. Add the following key under the <appSettings> section:

<add key="MSConditionalAccess-ProfileField" value="AuxID5" />

For information about editing the web.config file, see the System Info Tab Configuration document.

UI Text Box
sizemedium
typeinfo

Save all changes made to this configuration and exit.

 


...

Configure Microsoft Custom

...

Control 
Anchor
mscontrol
mscontrol

Create and configure a new custom control for Microsoft Conditional Access, perform the following steps.

  1. Log into in to Microsoft Azure.
  2. Click Click Azure Active Directory from  in the left vertical menupane.
  3. Click Security | Conditional Access.
  4. Click Manage | Custom Control.
  5. Click New custom control.In the Security section, click Conditional access.
  6. In the Manage section, click Custom controls.
  7. Click New custom control
  8. Enter the JSON for customized controls as shown in Figure 18in the fill-in field.

Image Modified Anchor_bookmark13_bookmark13 Conditional Access - Custom Controls

7. Supply   Enter the following values for JSON fields as shown in Figure 19:

...

JSON provided by SecureAuth Support, then click Save. (Contact SecureAuth Support per the Prerequisites steps, if you did not already request this information.)

Image Added

Configure the JSON file as follows, using the above image as a guide:

 

Creating a New Policy

...

    1. Set AppId to the data application referenced by Microsoft.
    2. Set ClientId by retrieving the designated realm located under the Post Authentication tab, in the OpenID Connect/OAuth 2.0
    1. - Clients
    '
    1. section
    (refer to Step 10e)
    1. .

...

    1. Set DiscoveryUrl to the OpenID configuration for the designated realm.

For your convenience, copy the following code snippet into the JSON file and change values appropriately:

{
   "Name": "Name for SecureAuth MFA",
   "AppId": "Microsoft data App ID",
   "ClientId": "SecureAuth ClientID",
   "DiscoveryUrl": "https://SecureAuthURL/secureauthXX/.well-known/openid-configuration",
   "Controls":
    [
       {
           "Id": "SecureAuthIdP",
           "Name": "SecureAuthIdP",
           "ClaimsRequested":
           [           
              {
                "Type": "SecureAuthMFA",
                "Value": "Validated",
                "Values": null
              }
           ]
       }
   ]
}


...

Create a Policy

Create a Microsoft Conditional Access policy.

  1. Log into Microsoft Azure.
  2. Click on Click Azure Active Directory from  in left vertical menupane.
  3. Click Click Security |  > Conditional Access |  - Policies |  > New Policy.

Image Modified

FIGURE 20. New Policy Button

4. Specify the users, apps, and controls as requiredthat you want to assign the policy to.

Image Modified FIGURE 21. Policy Assignments

5. When you have finished, click Save.

5. Save your changes.


...

Test Microsoft Conditional Access with SecureAuth IdP

Test that Microsoft Conditional Access works with SecureAuth IdP. In this scenario, you will test with Microsoft Teams, but you could also test with Outlook or Skype for Business.

  1. Log in to Microsoft Teams: https://teams.microsoft.com
  2. Enter your email address in the following screen:
    Image Added
  3. Enter your password in the following screen:
    Image Added
  4. Select the kind of two-factor authentication method to use to log into Microsoft Teams. The following example shows the text message (SMS) method.
    Image Added
  5. In the following screen, enter the one-time passcode that was sent to you:
    Image Added
  6. The following Microsoft Teams screen is displayed if the configuration between Microsoft Conditional Access and SecureAuth IdP is successful.
    Image Added
    If you do not see this screen or if you receive an error message, contact SecureAuth Support.