Integrating EntraID with RapidIdentity for SSO
  • 23 Jul 2024
  • 4 Minutes to read
  • Dark
    Light

Integrating EntraID with RapidIdentity for SSO

  • Dark
    Light

Article summary

EntraID  WS-FED AND WS-TRUST CONFIGURATION


Note: this document is in Preview mode, and it's content is subject to change.

This document describes the steps necessary to configure RapidIdentity to be the Identity Provider (IdP) for EntraID(Azure Active Directory) as well as the steps necessary to configure EntraID( Azure Active Directory) to be a service provider application (relying party) with the RapidIdentity IdP.
RAPIDIDENTITY

The RapidIdentity configuration is for the most part static. Below I will highlight some key items, as well as provide a Federation Partner Export that was used on a successful implementation of WS-Fed and WS-Trust. Below are highlighted some key items, as well as a Federation Partner export that was used on a successful implementation of WS-Fed and WS-Trust.

  1. Name

    1. The name is required, but there are no hard requirements on what it needs to be.

  2. Realm ID

    1. The Realm ID needs to be urn:federation:MicrosoftOnline.

  3. Attributes

    1. immutableID and UPN are required, but will need to match what is present in Azure. For example, if my UPN is lskywalker@email.com, and my immutableID is 1234 in Azure, I will need to match those values to RapidIdentity attributes. In the case of the export below, lskywalker@email.com resides in the mail attribute, and 1234 resides in the idautoID attribute within RapidIdentity.

    2. Attribute namespaces are also required for successful configuration. Below are the two that will be needed:

      1. UPN - http://schemas.xmlsoap.org/claims

      2. immutableID - http://schemas.microsoft.com/LiveID/Federation/2008/05

  4. WS-Trust

    1. This configuration will need to be enabled if passwords are to be used when logging into Windows devices. This allows for users to successfully authenticate to Windows Devices using their RapidIdentity Password.

    2. In WS-Trust, Microsoft will send a username token. RapidIdentity will then take this token and do a lookup within RapidIdentity. If RapidIdentity is unable to do this lookup, you will receive an incorrect username or password when trying to log into the Windows device using the RapidIdentity Password.

This WS-Federation RapidIdentity Federation Partner Configuration can be imported into RapidIdentity by going to Configuration -> Security -> Identity Providers -> Federation Partners and selecting the import button at the bottom of the page.

EntraID

The following will walk through the configuration of EntraID to successfully configure WS-Fed and WS-Trust with RapidIdentity as the IdP.

Considerations when Federating EntraID

EntraID One third-party Identity Provider per domain requirements:

EntraID allows for single provider federation at the domain level. This requirement limits Administrators to designating one Identity provider for all federated logins. To facilitate existing EntraID workflows desired by users, and create education friendly logon workflows. A Primary, and Sub domain deployment in Entra ID is recommended if conditional access, or other EntraID authentication features plan to be leveraged.  Best Practice: For a seamless end-user experience in environments with Azure MFA

Domain Federation to utilize RapidIdentity as the IdP

The following is a command to run in PowerShell to federate EntraID to RapidIdentity using WS-Fed:

Connect-MsolService

Set-MsolDomainAuthentication `
-DomainName <Azure Domain to Federate> `
-Authentication Federated `
-ActiveLogOnUri https://<RapidIdentity Cloud URL>/idp/profile/wsfed `
-FederationBrandName RapidIdentity `
-IssuerUri https://<RapidIdentity Cloud URL>/idp `
-LogOffUri https://<RapidIdentity Cloud URL>/idp/logout `
-MetadataExchangeUri https://<RapidIdentity Cloud URL>/idp/profile/wstrust/mex `
-PassiveLogOnUri https://<RapidIdentity Cloud URL>/idp/profile/wsfed `
-PreferredAuthenticationProtocol WsFed `
-PromptLoginBehavior NativeSupport `
-SigningCertificate <RapidIdentity Cloud PEM Signing Certificate>

Get-MsolDomainFederationSettings -DomainName <Azure Domain> | Format-List *

An example of the above is: 

Connect-MsolService

Set-MsolDomainAuthentication `
-DomainName "dev-rapididentity.com" `
-Authentication "Federated" `
-ActiveLogOnUri "https://ricloud.dev-rapididentity.com/idp/profile/wsfed" `
-FederationBrandName "RapidIdentity" `
-IssuerUri "https://ricloud.dev-rapididentity.com/idp" `
-LogOffUri "https://ricloud.dev-rapididentity.com/idp/logout" `
-MetadataExchangeUri "https://ricloud.dev-rapididentity.com/idp/profile/wstrust/mex" `
-PassiveLogOnUri "https://ricloud.dev-rapididentity.com/idp/profile/wsfed" `
-PreferredAuthenticationProtocol "WsFed" `
-PromptLoginBehavior "NativeSupport" `
-SigningCertificate "MIIDIDCCAgigAwIBAgIGAXpeb7vlMA0GCSqGSIb3DQEBCwUAMC8xLTArBgNVBAMM JFJhcGlkSWRlbnRpdHkgU0FNTCBJZGVudGl0eSBQcm92aWRlcjAeFw0yMTA2MzAx OTQwMThaFw00NjA2MzAxOTQwMThaMC8xLTArBgNVBAMMJFJhcGlkSWRlbnRpdHkg U0FNTCBJZGVudGl0eSBQcm92aWRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAJviobGZ16JsHBWSjkiLnfiJbjvRc7A+BbNHKQXSVDB90QGXoHgazm7k OVQaJTUOrcPJBAT1bwA8pPjSISmvzZtEEntQnaSt3Q7tR1oCmxWoa4eVncM3n5Vl Tw0fp4ScIX1URQqWlxDhL6hCtHbtkd/gPHCeS/kikIn/BBg7nHoljoet2VN3bC3h 0UmApHd8zAIaG9KeR5t5UWsR3coR5v797w5EN4P6xsZlxBW0OfGr5KjvyuYKgGSU CPFuT0sP+4tJX2hA7XNmayf8NM6jI8apkt45tQ+XtdUH9Fn/58n/NzsgL5Cs41jq xs6GdjiluU9GWdTetU39uXybeFS/uYMCAwEAAaNCMEAwHQYDVR0OBBYEFAEjBl5G R6yCHdQJwvxUZX1HsEQpMB8GA1UdIwQYMBaAFAEjBl5GR6yCHdQJwvxUZX1HsEQp MA0GCSqGSIb3DQEBCwUAA4IBAQBwgG6KKMQWCZVrOQoTWoGVcSRbz9piz/hwL1HC f/UOIZSb8UwXlLUWfOVbxPQE3Qf5meAtLq6BuQZlbmGxUJcveYdODaGUlKAjmDLi KLuIXgP5C6XZhWiTQRWL5DuodLUAXJC5tp2IobJjQ852JfYtWEYCXkjE2GLOkPSy vgxvJzkwgxrRlSO63fpwDcW3Hn+NM0dmuYJt0GU0DwRkLXd3z6ibJp70cuU6wXXJ GTtyczvIR5u+gfdgfdgfdgfdgfddgf JB4dhjfkdwlfkelc"

Get-MsolDomainFederationSettings -DomainName "dev-rapididentity.com" | Format-List *

 In order to use these commands, you must install the MSOnline module in PowerShell, utilizing Install-Module MSOnline. Connect-MsolService will open up a window to enter the administrator credentials for your EntraID Domain. Ensure to open PowerShell as an administrator and that all commands are run as an administrator.

Note

If an existing federation configuration exists, it will need to be removed by running the following command:

Set-MsolDomainAuthentication -DomainName <YourO365Domain.com> -Authentication managed


EntraID Joined Devices

Devices can be joined to EntraID in two ways. Through the Windows Out-Of-The-Box experience (OOBE), or through Windows Settings > Accounts > Access work or school > Connect > Join this Device to Azure Active Directory. The former is used for new devices and the latter is used for already existing devices. Click to see more information on joining your work device to your work or school network. If federation has been configured correctly, you should receive the RapidIdentity IdP page to authenticate and join the device.

Logging on with Web Sign-in 

Intune managed devices now support federated web sign-in. Allowing for the RapidIdentity IdP to be leveraged for windows logons on EntraID joined devices. This capability enables a seamless login experience for users, and also allows for passwordless workflows.

Device Requirements:

Click here to see more about using web sign in requirements and  federated authentication workflows in education with EntraID.








Was this article helpful?

ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence