How to configure Microsoft Azure AD (Entra ID) as an MFA External Provider
1) Lon into Azure Portal portal.azure.com;
2) Open Microsoft Entra ID;
3) On the left panel navigate to Enterprise Registrations | New Application;
4) In the Browser Microsoft Entra Gallery portal, click + Create your own application button;
5) In the Create your own application window, give it any name desired and make sure the option Integrate any other application you don't find in the gallery (Non-gallery) is selected;
Note: Microsoft may find an application with the name type, don't select any application and just click Create button.
6) After the application has been successfully created, on the left side panel click Single sing-on menu and select SAML;
7) From step 1 Basic SAML Configuration click the Edit button;
8) Under the Identifier (Entity ID), it should have the entity from the Password Manager, this information can be confirmed by either checking the Server settings from Password Manager General Settings | Secure Token Server (STS) | Server Settings | Issuer name (bottom) or downloading the RSTS SAML2 Federation Metadata https://<server>/RSTS/Saml2FedMetadata. If no configuration was changed it should show the following details urn:RSTS/identity;
9) Under the Reply URL (Assertion Consumer Service URL, it should be the Password Manager rSTS master server, such as https://servername.oneidentity.com:20000/RSTS/Login and click Save;
Here is an example of how it should be configured.
10) The Attribute & Claim does not need to be changed unless if you want to enforce a specific attribute for the authentication. Usually, UPN or mail is required;
11) From the step 3 SAML Certificate copy the App Federation Metadata Url, it will be used later in step 5 from the Password Manager side;
12) On the left panel side, click on Users and Groups and Add the users/groups that will allow them to authenticate on Password Manager using Azure;
1) Log into the Password Manager Admin portal;
2) Navigate to General Settings | Secure Token Server (STS) and click Add;
3) Under the Select Authentication provider type drop-down menu select External Federation;
4) Under the Connection Information | Realms here should be the tenant name;
Note: it is possible to have multiple tenants added, it just needs to be separated by space, sample: "tenant1.onmicrosoft.com tenant2.onmicrosoft.com tenant3.onmicrosoft.com"
5) Under the Get federation metadata from URL | Federation metadata URL paste the App Federation Metadata Url collected from step 11 part 1;
6) Make sure Always require authentication is checked and the External Federation provider is associated with the correct Active Directory at the bottom;
Here is an example of how it should be configured
7) Update the Workflow activity and select the option to use Authentication with external provider with the provider created and Choose the behavior of the authentication as Popup;
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center