Azure AD is a Microsoft service that lets you generate attributes to a registered computer object in on-premises Active Directory. This task is an overview of the PingFederate Azure AD registration process.
The automatic registration process with Azure AD is performed in two stages.
Stage 1: Device registration
- Using PingFederate and the Kerberos Token Processor, the device authenticates to Azure Device Registration Service (DRS).
- PingFederate issues a token to Azure AD.
- Azure AD issues a final token for Azure DRS.
- A set of attributes pass to Azure AD in the response token and write in the newly created Azure AD device project.
- Device generates a private/public key pair to use in a certificate signing request (CSR).
- Azure DRS obtains a certificate that authenticates the device to Azure AD.
- Device generates another private/public key pair.
- Newly created key pair binds the PRT to the physical device.
Stage 2: User registration
The main goal of this stage is to obtain a PRT which will be used in the authentication workflows. Depending on the credentials in use, a special plug-in obtains the PRT via separate calls to Azure AD and PingFederate.
- Plug-in sends credentials to the PingFederate Username Token Processor endpoint.
- The PingFederate server authenticates the user and sends back a WS-Trust assertion.
- Azure AD verifies the token.
- Azure AD builds a PRT with both user and device attributes.
- The PRT returns to the Windows device.