PhenixID

Step by Step – Microsoft Azure B2B – Direct Federation – MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for Microsoft Azure B2B Direct Federation (https://docs.microsoft.com/en-us/azure/active-directory/b2b/direct-federation).

System Requirements

  • Azure AD account with administrative rights.
  • PhenixID Autentication Services 2.7 or higher installed

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Azure AD B2B Direct Federation.

PhenixID Server acting as SAML IdP

  1. Login to Configuration Manager
  2. Go to Scenarios->Federation.
  3. Setup PhenixID Authentication Services as a SAML IdP using one of the scenarios.
    (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  4. Fetch the user email address in the Execution Flow.
  5. Use mail as Name ID attribute.
  6. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect “Require signed requests”. Save.
  7. Click “View SAML Metadata”.
  8. Download the metadata to a xml file.
  9. Open the XML metadata file in a text editor
  10. Remove the <md:EntitiesDescriptor….> tag from the file
  11. Remove the </md:EntitiesDescriptor> tag from the file
  12. Save the XML file.
  13. Configuration Manager -> Scenarios -> Federation -> <Your IDP>
  14. Click Execution flow
  15. Add a valve to the last execution flow – PropertyAddValve
    Name = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    Value = {{item.mail}}

    NB! If the mail address is collected from other attribute, change the mail value above to the correct attribute name

  16. Move the valve to be executed before the AssertionProvider valve.
  17. Collapse the AssertionProvider valve
  18. Set these values:
    Additional attributes = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    Miscellanous:
    “excludeSubjectNotBefore”: “true”,
    “nameIdFormat”: “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent”,
    “signMessage”: “false”,
    “signAssertion”: “true”,
    “audienceRestriction”: “urn:federation:MicrosoftOnline”

    Example:

Configure Azure

  1. Login to the Azure portal as an Azure admin (for your domain)
  2. Add new Identity Provider
  3. Enter values for the Identity Provider:

    1. Select SAML
    2. Enter domain name of IdP
    3. Select “Parse metadata file”
    4. Select the XML metadata file from previous step
    5-7. Will be populated automatically after XML metadata upload.

    Click Add.

Add trust to Azure on PhenixID Authentication Services

  1. Open a text editor
  2. Copy this XML data and paste it into the XML editor<?xml version=”1.0″ encoding=”UTF-8″?><EntityDescriptor entityID=”urn:federation:MicrosoftOnline” xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”><SPSSODescriptor protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”><NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat><AssertionConsumerService index=”1″ Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://login.microsoftonline.com/login.srf”></AssertionConsumerService></SPSSODescriptor></EntityDescriptor>
  3. Save the file as azure_sp.xml.
  4. Login to configuration manager
  5. Open Scenarios->Federation->SAML Metadata upload
  6. Click the plus sign
  7. Add Azure metadata by uploading azure_sp.xml.

Test

  1. Login to the Azure portal as an Azure admin (for your domain)
  2. Add a guest user which is part of the federating IdP.
    Please note that Azure rules dictate that the guest user email address domain must match the “Domain name of the federating IdP”. (Partial matches, ie mail subdomains, are also allowed).

  3. The guest user will receive an email with a link.
  4. The guest user opens the link and will be redirected to the PhenixID Identity provider.
  5. Authenticate as the guest user.
  6. If authentication was successful, a redirect to Azure B2B should occur (with SAML assertion).
  7. Another redirect to PhenixID Identity Provider will occur (only performed the first time).
  8. Redirect back to Azure B2B.
  9. The guest user should now be logged in.
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se