Use Cases

Registering Azure AD devices automatically through PingFederate for Windows 10 devices

Azure AD provides a registered device with an identity and authenticates when the user signs in. Once authenticated, use the device and device attributes to enforce conditional access policies for applications.

The PingFederate server authenticates the user and enrolls the device in Azure. Combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Azure AD update with additional information about the device. This allows you to create conditional access rules for devices to meet your standards for security and compliance. This configuration also works for Windows Hello for Business.

If you have an on-premise Active Directory environment, you can join your domain-joined devices to Azure AD by configuring hybrid Azure AD-joined devices. You can configure Windows devices to automatically register to Azure AD. Windows current devices use active STS (WS-Trust) workflow for Azure AD device registration. The required configuration differs from Windows down-level devices, which use passive workflow (WS-Federation) for this process.

Components

PingFederate 9.3

Windows current devices are:

  • Windows 10

  • Windows Server 2016

Azure AD registration process

Azure AD is a Microsoft service that lets you generate attributes to a registered computer object in on-premises Active Directory. This task is an overview of the PingFederate Azure AD registration process.

The automatic registration process with Azure AD is performed in two stages.

Stage 1: Device registration

Processing Steps

  1. Using PingFederate and the Kerberos Token Processor, the device authenticates to Azure Device Registration Service (DRS).

  2. PingFederate issues a token to Azure AD.

  3. Azure AD issues a final token for Azure DRS.

  4. A set of attributes pass to Azure AD in the response token and write in the newly created Azure AD device project.

  5. Device generates a private/public key pair to use in a certificate signing request (CSR).

  6. Azure DRS obtains a certificate that authenticates the device to Azure AD.

  7. Device generates another private/public key pair.

  8. Newly created key pair binds the PRT to the physical device.

Stage 2: User registration

The main goal of this stage is to obtain a PRT which will be used in the authentication workflows. Depending on the credentials in use, a special plug-in obtains the PRT via separate calls to Azure AD and PingFederate.

Processing Steps

  1. Plug-in sends credentials to the PingFederate Username Token Processor endpoint.

  2. The PingFederate server authenticates the user and sends back a WS-Trust assertion.

  3. Azure AD verifies the token.

  4. Azure AD builds a PRT with both user and device attributes.

  5. The PRT returns to the Windows device.

Preparing Azure AD for automatic device registration

Set up a connection to Azure AD, configure the registration CNAME, and enable Azure DRS for automatic device registration.

Before you begin

  • Install PingFederate server running version 8.4 or later

  • Run Office 365 federated domain with appropriate subscriptions

  • Run a functional WS-Federation/WS-Trust connection to Office 365 configured on the PingFederate server

  • Ensure username and Kerberos Token Processors are functional and in use for authenticating Office 365 users.

  • Install Azure AD Connect running for Active Directory synchronization with Azure AD

  • Ensure that you are running the latest version of Azure AD Connect. For more information, see Azure AD Connect

Steps

  1. Set up a service connection point using one of the following methods:

    Choose from:

  2. Configure the enterprise registration CNAME record on your DNS server. For more information, see the Microsoft product documentation with Create DNS records for O365 using Windows-based DNS

  3. Enable Azure Device Registration Service (DRS).

    1. Open the Microsoft Azure portal.

    2. Go to Azure Active Directory → Devices → Device settings.

    3. In the Users may join devices to Azure AD field, click All.

    4. In the Users may register their devices with Azure AD field, click All. Click Save.

Configuring PingFederate server

Configure the PingFederate server to register Azure Active Directory (AD) Windows 10 devices.

About this task

In the PingFederate cluster, perform the following steps on the admin node:

Steps

  1. Add the required attribute namespaces:

    1. Stop the PingFederate server.

    2. Go to <pf-install>/pingfederate/server/default/data/config-store.

    3. In a text editor, open the custom-name-formats.xml file.

    4. If they are not already present, add the following lines to the sts-attribute-namespaces section:

      <con:item name="http://schemas.microsoft.com/identity/claims">http://schemas.microsoft.com/identity/claims</con:item>;

<con:item name="http://schemas.microsoft.com/ws/2012/01">http://schemas.microsoft.com/ws/2012/01</con:item>;

<con:item name="http://schemas.microsoft.com/claims">http://schemas.microsoft.com/claims</con:item>;

    5. Save your changes and restart the PingFederate server.

  2. In the PingFederate cluster, open the administrative console and go to Cluster Management → Replicate Cluster Configuration.

  3. Click Replicate.

  4. Configure Omit line Breaks in Digital Signatures.

    For more information see Omit line breaks in digital signatures.

    1. In a text editor, open <pf_install>/pingfederate/bin/run.properties and add the following line to the file:

      org.apache.xml.security.ignoreLineBreaks=true

    2. Save your changes and restart the PingFederate server.

      If you are running a cluster, follow steps 1-4 for all nodes.

  5. Extend the list of the LDAP binary attributes:

    1. Open the PingFederate administrative console and go to Server Configuration → Data Stores.

    2. Click LDAP data store.

    3. On the LDAP Configuration page, click Advanced.

    4. In the Binary Attribute Namefield, enter objectSid and click Add. Click Save.

  6. Confirm the default token type for the WS-Trust protocol:

    1. Open the existing Office 365 SP connection.

    2. Go to SP Connection → WS-Trust STS → Protocol Settings.

    3. In the Default Token Type list, select SAML 1.1 for Office 365. Click Save.

  7. Extend the WS-Trust attribute contract:

    1. Go to SP Connection → WS-Trust STS → Token Creation - Attribute Contract.

    2. Add the following attributes and corresponding attribute namespaces.

      Attribute name Attribute namespace

      accounttype

      http://schemas.microsoft.com/ws/2012/01

      onpremobjectguid

      http://schemas.microsoft.com/identity/claims

      primarysid

      http://schemas.microsoft.com/ws/2008/06/identity/claims

      SAML_NAME_FORMAT

      http://schemas.microsoft.com/claims

    3. Click Next and then click the Kerberos Token Processor instance.

  8. Extend the LDAP search for the Kerberos Token Processor:

    1. On the Attribute Sources & User Lookup tab, click the LDAP data store instance.

    2. On the LDAP Directory Search tab, add the objectSid attribute to return from search. Click Next.

      Make sure that Base DN and Search Scope LDAP settings cover both a container with Office 365 users and a container where the AD objects of the devices intended for Azure AD registration are located.

    3. On the LDAP Binary Attribute Encoding Types tab, set the Attribute Encoding Type to SID for the objectSid attribute, then click Next.

    4. Confirm that the LDAP Filter includes the following:

      |((sAMAccountName=${username}) (userPrincipalName=${username}))

  9. Map the attribute contract to the values of the Kerberos Token Processor instance:

    1. Click Done and Next until you reach the Attribute Contract Fulfillmentsection of the Kerberos Token Processor instance.

    2. Populate the missing fields, then click Done.

      For more information, see Configuring a Kerberos Token Processor instance..

      Attribute Contract Source Value

      Immutable ID

      LDAP

      objectGUID

      TOKEN_SUBJECT

      LDAP

      objectGUID

      UPN

      Token

      principle

      accounttype

      Text

      DJ

      onpremobjectguid

      LDAP

      objectGUID

      primarysid

      LDAP

      objectSid

      SAML_NAME_FORMAT

      Text

      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  10. Map the attribute contract to the values of the Username Token Processor instance:

    1. Click the Username Token Processor instance, then click the Attribute Contract Fulfillment tab.

    2. Populate the missing fields.

      For more information, see Configuring a Username Token Processor instance..

    3. Click Save.

      Attribute Contract Source Value

      Immutable ID

      LDAP

      objectGUID

      TOKEN_SUBJECT

      LDAP

      objectGUID

      UPN

      LDAP

      userPrincipalName

      accounttype

      Text

      N/A

      onpremobjectguid

      LDAP

      objectGUID

      primarysid

      Text

      N/A

      SAML_NAME_FORMAT

      Text

      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Controlling deployment and rollout

Configure and restart your Windows 10 device to register with Azure AD.

About this task

Automatic device registration rollout and deployment for the Windows-current devices is done through a Group Policy.

Steps

  1. Complete the configuration steps in the Microsoft article Controlled validation of hybrid Azure AD join.

  2. Restart the device.

    All domain-joined devices running Windows 10 Anniversary Update and Windows Server 2016 or later automatically register with Azure AD at device restart or user sign-in.

Verifying device registration status

Apply the Group Policy and sign in to your Windows 10 device to automatically begin the device registration.

Steps

  1. Check the Windows device status using one of the following methods:

    Choose from:

    • From a Windows Powershell prompt, run dsregcmd.exe /status and confirm the following fields have the corresponding values:

    • AzureADJoined: YES

    • DomainJoined: YES

    • WorkplaceJoined: NO

    • WarmDefaultSet: YES

    • AzureADPrt: YES

      If you see different values, the device registration process failed. For more information, see Troubleshooting hybrid Azure AD joined devices in the Microsoft Azure product documentation.

    • In the Microsoft Azure portal, go to Azure Active Directory → Devices and verify the device registration status.