Documentation

 

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

a. Scroll down to the 'Set Profile Fields' section and make the following designations:

      • Aux ID 1 – userPrincipalName
      • Aux ID 2 – otherLoginWorkstations
      • Aux ID 5 - otherIpPhone and make it writable. (This field is set from custom pre- authentication page - MSConditionalAccess.aspx.vb)
      • Go to the Web.Config file for this specific realm and add this line to modify the AuxID 5 definition:

<add key="MSConditionalAccess-ProfileField" value="AuxID5" />
For more on editing the Web.Config file, refer to this link.
Image Modified
FIGURE 3. Set Profile Fields Section

b. Scroll down to the 'Global Aux Fields' section and designate Global Aux ID 1 as Validated.

Image Modified
FIGURE 4. Global Aux Fields Section

8. Click to select the Workflow tab and perform the following tasks:

 

a. In the 'Login Screen Options' section, assign the following values to the designated fields.

      • Default Workflow – Username | SecondFactor
      • Public/Private Mode – Public ModeOnly

Image Modified
FIGURE 5. Login Screen Options

b. In the 'Customer Identity Consumer' section, perform the following task:

      • Receive Token – Token
      • Leave other fields as default

Image Modified
FIGURE 6. Custom Identity Consumer

9. Click the Multi-Factor Configuration tab to bring up the Multi-Factor Configuration page and supply the following values.

a. Scroll to the 'Phone Settings' section and supply the following values to the designated fields:

      • Phone Field 1 – select One-TimePasscodeviaPhoneCallandSMS
      • Phone Field 2 – select One-Time Passcode via Phone Call and SMS

 

Image Modified
FIGURE 7. Phone Settings Section

b. Scroll down to the 'Email Settings' section and supply the following value to the designated field:

      • Email Field 1 – select One-Time Passcode via HTMLEmail

Image Modified
FIGURE 8. Email Settings Section

10. Click the Post Authentication tab then supply the following values to the designated fields:

...

b. In the 'User ID Mapping' section, supply the following values:

      • User ID Mapping – select AuthenticatedUserID. The user can choose to map other parameters, if needed.
      • Name ID Format – select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
      • Encode to Base64 – select False

Image Modified

Anchor
_bookmark6
_bookmark6
FIGURE 9. User ID Mapping Section

b. Scroll down to the 'OpenID Connect/OAuth 2.0 – Settings' section and provide the following values:

      • Enable - True
      • Issuer - Should be the FQDN/Hostname of the IdP appliance. This must be publicly facing and have a valid SSL certificate
      • Signing Algorithm - Can be either RSASHA256(RS256) or HMACSHA256(HS256)
      • Signing Cert - Can use any certificate that is a private key readable by SecureAuth IdP. Do not use wild cards in a certificate.
      • Auto Accept User Consent - True. This provides a cleaner user experience.
      • Enable User Consent Storage - True. This provides a cleaner user experience and enables check session endpoints.
      • Consent Storage Attribute - The AUX ID 2 that was mapped to a string attribute (for example, otherLoginWorkstations)

Leave the following default: 'Authorization Code Lifetime', 'Access Token Lifetime', 'Refresh Token Lifetime'.
Refer to Figure 10 for an example.
Image Modified

Anchor
_bookmark7
_bookmark7
FIGURE 10. OIDC Settings

c. Scroll down to the 'OpenID Connect/OAuth 2.0 – Scopes' section and provide the following value:

...

d. Scroll down to the 'OpenID Connect/OAuth 2.0 – Clients' section, click the Add Client button then supply the following values:

      • Name – enter ConditionalAccess or another appropriate name
      • Client ID – supply the appropriate client ID for this client
      • Enabled/Disabled – check this box

Image Modified
FIGURE 12. OIDC - Clients Settings

e. Scroll down to the 'OpenID Connect/OAuth 2.0 - Client Details' section and provide the following values in the designated fields:

      • Enabled – True
      • Name – Set to an appropriate name such as ConditionalAccess
      • JSON Web Encryption – Disabled
      • JSON Web Key URI – Blank

Refer to Figure 13 for an example.
Image Modified

Anchor
_bookmark10
_bookmark10
FIGURE 13. OIDC - Client Details

f. Scroll down to the 'Allowed Flows' section and provide the following values in the designated fields:

      • Authorization Code – True
      • Implicit – True
      • Hybrid – False
      • Client Credentials – False
      • Resource Owner – False
      • Refresh Token – True
      • Introspection – True
      • Revocation – True

Image Modified

FIGURE 14. Allowed Flows Section

g. Scroll down to the 'OpenID Connect/OAuth 2.0 - Client Redirect URIs' section and provide the following value:

Image Modified
FIGURE 15. OIDC - Client Redirect URIs Section

h. Scroll down to the 'OpenID Connect/OAuth 2.0 – Claims' section and supply this value:

      • Sub – set to the AUX ID field assigned the userPrincipalName value (as shown in Step 7a) and mark it as discoverable.

Image Modified
FIGURE 16. OIDC - Claims Section

j. Scroll down to the 'OpenID Connect/OAuth 2.0 – Custom Claims' section and assign the following values:

      • Claim – SecureAuthMFA
      • Profile Property – Global Aux ID1
      • Discoverable – Checked

An example is shown in Figure 17.
Image Modified

Anchor
_bookmark11
_bookmark11
FIGURE 17. OIDC - Custom Claims Section

11. Save all changes made to this configuration and exit.

 

Anchor
Configuring Microsoft Custom Control
Configuring Microsoft Custom Control
Anchor
_bookmark12
_bookmark12
Configuring Microsoft Custom Control

...