PingOne Advanced Identity Cloud

Ping Identity as external authentication method for Microsoft Entra ID (Azure AD)

While this PingOne Advanced Identity Cloud use case was validated for accuracy, it can always be improved. To provide feedback, click thumb_up or thumb_down in the top right of this page (you must be logged into Backstage).

Description

Estimated time to complete: 30 minutes.

In this use case, you configure Advanced Identity Cloud as an external authentication method for Microsoft Entra ID (Azure AD).

Specifically, you configure Advanced Identity Cloud as the identity provider (IdP) for Microsoft Entra ID using OIDC. This allows a user from Microsoft Entra ID to use Advanced Identity Cloud as a second factor authentication solution.

Goals

After completing this use case, you will know how to do the following:

  • Configure a custom OIDC application for SSO.

  • Configure Microsoft Entra ID to use an external authentication method.

  • Configure a custom journey for MFA purposes.

Prerequisites

Before you start work on this use case, ensure you have these prerequisites:

  • A basic understanding of:

    • The Advanced Identity Cloud admin UI

    • SSO (Federation)

    • OIDC

    • The Advanced Identity Cloud end-user UI

    • Microsoft Entra ID

  • Access to your development environment as an administrator.

  • A test Microsoft Entra ID environment with at least a P1 license.

  • An admin with the Privileged Role Administrator or Global Administrator role in Microsoft Entra ID.

  • A test user in Advanced Identity Cloud to serve as the application owner for the custom OIDC (Microsoft Entra ID) application.

  • The use case matches a user from Microsoft Entra ID to a test user in Advanced Identity Cloud. Specifically, make sure the test user’s frIndexedString1 attribute in Advanced Identity Cloud matches the Object ID attribute for the user in Microsoft Entra ID.

Tasks

This use case requires the use of third-party services. Use your environment specific details where necessary.

Task 1: Create a new OIDC web app in Advanced Identity Cloud

  1. Create a new OIDC Web App (Applications > Custom Applications > OIDC - OpenId Connect > Web) with the following config:

    Field Value

    Sign-in URLs

    https://login.microsoftonline.com/common/federation/externalauthprovider

    Grant Type

    Implicit

    Scopes

    openid

    Response Types

    id_token

    Claims

    profile

    Advanced > Authentication > Token Endpoint Authentication Method

    none

Task 2: Set up Microsoft Entra ID as the service provider

The next task is to prepare Microsoft Entra ID to serve as a service provider (SP) and use Advanced Identity Cloud as an external authentication method.

Register a new app (required)

  1. Navigate to https://entra.microsoft.com/#home.

    Microsoft Entra ID admin center
  2. In the left panel, click Applications > App registrations.

  3. Click New registration.

    Start new registration for app
  4. Complete the following fields, and click Register:

    Field Value

    Name

    <AIC-EAM-DOC>

    Supported account types

    Accounts in this organizational directory only (... - Single tenant)

    Redirect URI

    <Your AIC authorization_endpoint> https:// <your instance>.forgeblocks.com/am/oauth2/alpha/authorize

    Select a platform

    Web

    App registration filled in
  5. In the new app’s Overview page, note the UUID under Application (client) ID. You will need it to create an external authentication method.

    Overview page for app
  6. On the left, under Manage, click API permissions.

    API permissions
  7. Click Add a permission.

  8. Click APIs my organization uses.

    Request API permissions list
  9. In the search box, search for Microsoft Graph.

    Request API permissions selection
  10. In the result list, select Microsoft Graph.

  11. Select Delegated permissions.

    Delegated Permissions
  12. Under the Openid permissions section, select the openid and profile checkboxes, and click Add permissions.

    Delegated Permissions
  13. Click Grant admin consent for <your company>.

    Delegated Permissions after grant
  14. Complete the necessary steps for this task, including granting admin consent, and refresh the screen to display the updated permission status. Learn more in Grant tenant-wide admin consent to an application in the Microsoft Entra ID documentation.

    Delegated Permissions after grant successful with checks

Create a new group (if needed)

We highly recommend that you initially don’t include all users in case you encounter issues. Instead, we recommend that you use a group.

  1. In the left panel, click Identity > Groups > All groups.

    All groups
  2. Click New group, and complete the following fields:

    New Group
    Field Value

    Group type

    Security

    Group Name

    Anything you want

    Membership type

    Assigned

  3. Add a few test users, as needed.

Add a new authentication method (required)

  1. Navigate to https://entra.microsoft.com/#home.

  2. In the left panel, click Protection > Authentication methods.

    New Authentication methods - Policies
  3. Click Add external method (Preview), complete the following fields, and click Save:

    Field Value

    Name

    <Anything you want>

    Client ID

    Use the generated Application (client) ID you recorded when setting up the application in Advanced Identity Cloud

    Discovery Endpoint

    .var##<tenant-env-fqdn>##.forgeblocks.com/am/oauth2/alpha/.well-known/openid-configuration

    App ID

    Use the generated Application (client) ID you recorded when setting up the application in Advanced Identity Cloud

    Add external method (Preview)
  4. Set Include or Exclude of users/groups, as needed.

  5. Ensure that you granted admin consent from Task 2 - Register a new app, step 20. You need the Privileged Role Administrator or Global Administrator role to grant admin consent for the provider’s application.

Create new conditional access (required)

  1. Navigate to https://entra.microsoft.com/#home.

  2. In the left-hand panel, click Protection > Conditional Access.

    Conditional Access Overview
  3. Click Create new policy, and complete the following fields:

    Field Value

    Name

    <anything you want>

    Users

    You can add anyone you want, but we highly recommend that you don’t include all users at first in case you encounter issues. Instead, we recommend that you use a group. For example, the optional one created above.

    Target resources

    Apps you want to protect (My Apps for testing purposes)

    Network

    Set as needed

    Condition

    Set as needed

    Grant

    Grant access selected: Check Require multifactor authentication

    Grant

    For multiple controls: Set according to your security model

Task 3: Complete set up of Microsoft Entra ID in Advanced Identity Cloud

  1. Make a copy of the Alpha OIDC Claims Script, and add the following lines in the getComputedClaims function, right before the return:

    //MS Entra EAM
    var recievedSub = session.getProperty("eamsub");
    computedClaims.put("sub", recievedSub);
    var amrMFAUsed = session.getProperty("eam-mfa-type");
    var amrClaim = [amrMFAUsed];
    computedClaims.put("amr", amrClaim);
  2. Update your OIDC Client. From the Platform UI, navigate to Native Consoles > Access Management > Applications > OAuth 2.0 - Clients > clients > <The Client you create in the AIC Initial Setup above>.

    1. On the Core tab, complete the following fields:

      Field Value

      Redirection URIs

      https:// login.microsoftonline.com/common/federation/externalauthprovider

      Default Scope(s)

      openid profile

    2. On the Advance tab, complete the following fields:

      Field Value

      JavaScript Origins

      https://login.microsoftonline.com
      https://login.microsoftonline.com:443

      Response Types

      id_token

      Grant Types

      Implicit

      Token Endpoint Authentication Method

      None

    3. On the OAuth2 Provider Overrides tab, complete the following fields:

      Field Value

      Enable OAuth2 Provider Overrides

      Enabled

      Access Token Modification Plugin Type

      Scripted

      Access Token Modification Script

      Alpha OAuth2 Access Token Modification Script

      OIDC Claims Plugin Type

      SCRIPTED

      OIDC Claims Script

      Name of the script you created in step 1

      OIDC Claims Plugin Implementation Class

      org.forgerock.openam.oauth2.OpenAMScopeValidator

      Use Client-Side Access & Refresh Tokens

      Enabled

      Allow Clients to Skip Consent

      Enabled

      Scope Evaluation Plugin Implementation Class

      org.forgerock.openam.oauth2.OpenAMScopeValidator

      Scope Validation Plugin Type

      JAVA

      Scope Validation Plugin Implementation Class

      org.forgerock.openam.oauth2.OpenAMScopeValidator

      Authorize Endpoint Data Provider Plugin Type

      SCRIPTED

      Authorize Endpoint Data Provider Script

      OAuth2 Authorize Endpoint Data Provider Script

      Authorize Endpoint Data Provider Plugin Implementation Class

      org.forgerock.openam.oauth2.OpenAMScopeValidator

      Overrideable Id_Token Claims

      sub acr amr

  3. In the left panel, click Services.

  4. Click Add a Service.

  5. In the drop-down list, select Session Property Whitelist Service, and click Create.

  6. In the Allowlisted Session Property Names and Session Properties to return for session queries fields, enter eamsub and eam-mfa-type, and click Save Changes.

    Session Property Whitelist Service
  7. Import this journey, and update the config variable in the EAMGetLoginHint script with your EAM-specific data.

    The EAMGetLoginHint script takes the redirect from Entra with a signed JWT containing the username to auth-n in the journey.

    Learn more in Importing journeys.

This journey is only provided as an example. It isn’t configured to perform MFA.

Journey example
  1. Update the EAMGetLoginHint script within the journey with the following details:

    Field Value

    issuer

    The issuer URL in the format - https://login.microsoftonline.com/<tid>/v2.0

    For <tid>, on the left panel, navigate to Identity > Overview to find your tenant ID (TID).

    jwksJson

    The full JWKS that can be found at https://login.microsoftonline.com/<tid>/discovery/v2.0/keys

    audience

    The MS EAM App ID

    tid

    The MS EAM Tenant ID

    nodeName

    The name used for logging purposes

  2. Make sure your test user has the User principal name from MS set on the frIndexedString1 field for your test user in Advanced Identity Cloud.

  3. Navigate to the Access Management native console (Native Consoles > Access Management) and in the Advanced OpenID Connect tab, update your OAuth2 Provider by completing the following fields:

    Field Value

    Enable "claims_parameter_supported"

    True (on)

    OpenID Connect acr_values to Auth Chain Mapping

    possessionorinherence: EAM SAMPLE (my journey name)

Validation

Now that you have created and configured the EAM setup, validate the configurations:

Steps

  1. Navigate to https://myapps.microsoft.com.

  2. Enter the test user’s username and password.

  3. Select the external authentication method you set up.

  4. Select your MFA Choice (Assumption - Your Journey Administrator set up the MFA challenge).

At this point, the user should be logged into Entra.

Video of validation

The following video displays the expected flow from Microsoft Entra ID to Advanced Identity Cloud: