PingOne Advanced Identity Cloud

Ping Identity as external authentication method for Microsoft Entra ID (Azure AD)

Description

Estimated time to complete: 45 minutes.

In this use case, you configure Advanced Identity Cloud as an external authentication method for Microsoft Entra ID (formerly Azure AD) using OIDC. This lets a user from Microsoft Entra ID use Advanced Identity Cloud as a second-factor authentication solution.

Goals

After completing this use case, you’ll know how to do the following:

  • Configure a custom OIDC application for SSO

  • Configure Microsoft Entra ID to use an external authentication method (EAM)

  • Configure a custom journey for multi-factor authentication (MFA) purposes

Before you begin

Before you start work on this use case, ensure you have these prerequisites:

  • A basic understanding of:

    • SSO and federation

    • OIDC

    • Microsoft Entra ID

    • JavaScript

  • Access to your Advanced Identity Cloud development environment as a tenant administrator.

  • A test Microsoft Entra ID environment with at least a P1 license. Learn more in Microsoft Entra licensing options.

  • An administrator with the Privileged Role Administrator or Global Administrator role in Microsoft Entra ID.

  • A test user in Advanced Identity Cloud to serve as the application owner for the custom OIDC (Microsoft Entra ID) application.

  • A test end user. The use case matches a user from Microsoft Entra ID to a test user in Advanced Identity Cloud. Specifically the user must have the same username and password.

Tasks

This use case requires the use of third-party services. Use your environment specific details where necessary.

Task 1: Create a new OIDC web application in Advanced Identity Cloud

  1. In the Advanced Identity Cloud admin console, go to Applications > Custom Application > OIDC - OpenId Connect > Web.

  2. Create an application with the following configuration:

    Field Value

    Sign-in URLs

    https://login.microsoftonline.com/common/federation/externalauthprovider

    Grant Types

    Implicit

    Scopes

    openid

    Access: Response Types

    id_token

    Access: Claims

    profile

    Authentication: Token Endpoint Authentication Method

    None

Task 2: Set up Microsoft Entra ID as the service provider

In this task, you prepare Microsoft Entra ID to serve as a service provider (SP) and use Advanced Identity Cloud as an external authentication method.

Learn more about setting up Microsoft Entra ID to integrate with an external method in the Microsoft Entra product documentation.

Register a new app

  1. In a browser, navigate to the Microsoft Entra admin center.

  2. Click Applications and then click App registrations.

    Microsoft Entra ID admin center

  3. In the top toolbar, click add New registration.

    Start new registration for app

  4. Complete the following fields:

    Field Value

    Name

    The app name (for example, AIC-EAM-DOC)

    Supported account types

    Select Accounts in this organizational directory only (... - Single tenant)

    Redirect URI

    Your Advanced Identity Cloud authorization endpoint. For example, https://<tenant-env-fqdn>/am/oauth2/alpha/authorize.

    Select a platform

    Web
    App registration filled in

  5. Click Register to create the application.

  6. Find the application ID:

    1. In the application menu, click Overview.

    2. Note the Application (client) ID of the application. For example, fa441b8a-9169-47e3-9b1f-270d2c61e33d. You’ll need this to create an external authentication method.

    Overview page for app

  7. Configure the application’s permissions to the API:

    1. Select API permissions and then click Add a permission.

    2. In the top toolbar, select APIs my organization uses.

      Request API permissions list

    3. Search for and select Microsoft Graph.

      Request API permissions selection

    4. Select Delegated permissions.

      Delegated Permissions

    5. In the Openid permissions section, select the openid and profile checkboxes, and click Add permissions.

      Delegated Permissions

    6. Click Grant admin consent for <your company>.

      Delegated Permissions after grant

    7. Complete the necessary steps for this task, including granting admin consent, and refresh the screen to display the updated permission status. Learn more in Grant tenant-wide admin consent to an application in the Microsoft Entra ID documentation.

      Delegated Permissions after grant successful with checks

Create a new group

Creating a group helps prevent all users from being locked out of the tenant when external authentication is enabled.

  1. In a browser, navigate to the Microsoft Entra admin center.

  2. In the left panel, click Identity and then click Groups > All groups.

    All groups

  3. Click New group, and complete the following fields:

    Field Value

    Group type

    Security

    Group Name

    Anything you want

    Membership type

    Assigned
    New Group

  4. Add a few test users to the group, as needed.

  5. Click Create.

Add a new authentication method

  1. In a browser, navigate to the Microsoft Entra admin center.

  2. Click Protection and then click Authentication methods.

    New Authentication methods - Policies

  3. In the top toolbar, click Add external method (Preview). Note that this option is available only with a Microsoft Entra P1 license or higher.

  4. Complete the following fields and click Save:

    Field Value

    Name

    Anything you want

    Client ID

    The name of the OIDC web application you created in Task 1 - Create a new OIDC web application in Advanced Identity Cloud

    Discovery Endpoint

    https://<tenant-env-fqdn>/am/oauth2/alpha/.well-known/openid-configuration

    App ID

    The generated Application (client) ID you recorded when setting up Microsoft Entra ID as the service provider
    Add external method (Preview)

  5. Ensure that you granted admin consent when you registered the new app. You need the Privileged Role Administrator or Global Administrator role to grant admin consent for the provider’s application.

  6. Click the Enable toggle to enable external authentication methods.

  7. Set Include or Exclude users/groups, as needed.

  8. Click Save.

Create new conditional access

  1. In a browser, navigate to the Microsoft Entra admin center.

  2. Click Protection and then click Conditional Access.

    Conditional Access Overview

  3. In the top toolbar, click Create new policy.

  4. Complete the following fields:

    Field Value

    Name

    Anything you want

    Users

    You can add anyone you want, but you shouldn’t include all users initially in case you encounter issues. Instead, use the group you created.

    Target resources

    Apps you want to protect (My Apps for testing purposes)

    Network

    Set as needed

    Condition

    Set as needed

    Grant

    Grant access selected: Select Require multifactor authentication

    Grant

    For multiple controls: Set according to your security model

  5. Confirm your settings and set Enable policy to Report-only.

  6. Click Create.

At this point, you:

Created an OIDC application in Advanced Identity Cloud

Registered an application in Microsoft Entra ID

Created a group in Microsoft Entra ID

Added Advanced Identity Cloud as an external authentication method in Microsoft Entra ID

Created a policy for conditional access in Microsoft Entra ID

Task 3: Complete set up of Microsoft Entra ID in Advanced Identity Cloud

Learn more in Override the audience and issuer claims.

  1. In the Advanced Identity Cloud admin console, go to Scripts > Auth Scripts.

  2. Make a copy of the Alpha OIDC Claims Script, and add the following lines in the getComputedClaims function, right before return computedClaims;: 

     }
});
//MS Entra EAM
var recievedSub = session.getProperty("eamsub");
computedClaims.put("sub", recievedSub);
var amrMFAUsed = session.getProperty("eam-mfa-type");
var amrClaim = [amrMFAUsed];
computedClaims.put("amr", amrClaim);

return computedClaims;
}

  3. Update your OIDC client:

    1. Go to Native Consoles > Access Management > Applications > OAuth 2.0 > Clients and click the client you created in Task 1 - Create a new OIDC web application in Advanced Identity Cloud.

    2. On the Core tab, complete the following fields:

      Field Value

      Redirection URIs

      https:// login.microsoftonline.com/common/federation/externalauthprovider

      Default Scope(s)

      openid profile

    3. On the Advanced tab, complete the following fields:

      Field Value

      JavaScript Origins

      https://login.microsoftonline.com
      https://login.microsoftonline.com:443

      Response Types

      id_token

      Grant Types

      Implicit

      Token Endpoint Authentication Method

      None

    4. On the OAuth2 Provider Overrides tab, complete the following fields:

      Field Value

      Enable OAuth2 Provider Overrides

      Enabled

      Access Token Modification Plugin Type

      Scripted

      Access Token Modification Script

      Alpha OAuth2 Access Token Modification Script

      OIDC Claims Plugin Type

      SCRIPTED

      OIDC Claims Script

      Name of the script you created in step 2

      OIDC Claims Plugin Implementation Class

      org.forgerock.openam.oauth2.OpenAMScopeValidator

      Use Client-Side Access & Refresh Tokens

      Enabled

      Allow Clients to Skip Consent

      Enabled

      Scope Evaluation Plugin Implementation Class

      org.forgerock.openam.oauth2.OpenAMScopeValidator

      Scope Validation Plugin Type

      JAVA

      Scope Validation Plugin Implementation Class

      org.forgerock.openam.oauth2.OpenAMScopeValidator

      Authorize Endpoint Data Provider Plugin Type

      SCRIPTED

      Authorize Endpoint Data Provider Script

      OAuth2 Authorize Endpoint Data Provider Script

      Authorize Endpoint Data Provider Plugin Implementation Class

      org.forgerock.openam.oauth2.OpenAMScopeValidator

      Overrideable Id_Token Claims

      sub acr amr

    5. Click Save Changes.

  4. Whitelist the EAM session properties:

    1. Go to Services > Session Property Whitelist Service.

      If the Session Property Whitelist Service is not listed, click Add a Service to add it.

    2. In the Allowlisted Session Property Names and Session Properties to return for session queries fields, enter eamsub and eam-mfa-type, and click Save Changes.

      Session Property Whitelist Service

  5. Import and configure the sample journey:

    1. In the Advanced Identity Cloud admin console, import this sample journey. Learn more about importing journeys in Import journeys.

      This journey is provided as an example only. It isn’t configured to perform multi-factor authentication (MFA).

      The scripts provided with the journey are samples and are not supported by Ping Identity.
      Journey example

    2. In the GetLoginHint node, open the EAMGetLoginHint script and update the configuration variables with your EAM-specific data. This script takes the redirect from Microsoft Entra ID with a signed JWT containing the username to authenticate the user within the journey.

      Field Value

      issuer

      The issuer URL in the format https://login.microsoftonline.com/<tid>/v2.0.

      To find your EAM tenant ID (tid), go to the Microsoft Entra admin center and click Identity > Overview.

      jwksJson

      The full JWKS that can be found at https://login.microsoftonline.com/<tid>/discovery/v2.0/keys

      audience

      The generated Application (client) ID you recorded when setting up Microsoft Entra ID as the service provider.

      tid

      Your EAM tenant ID (tid)

      nodeName

      The node name, which is used for logging purposes.

  6. Go to Native Consoles > Access Management > Services > OAuth2 Provider.

  7. On the Advanced OpenID Connect tab, update your OAuth 2.0 Provider by completing the following fields:

    Field Value

    Enable "claims_parameter_supported"

    True (on)

    OpenID Connect acr_values to Auth Chain Mapping

    possessionorinherence: EAM SAMPLE (the sample journey name)

At this point, you:

Created an OIDC application in Advanced Identity Cloud

Registered an application in Microsoft Entra ID

Created a group in Microsoft Entra ID

Added Advanced Identity Cloud as an external authentication method in Microsoft Entra ID

Created a policy for conditional access in Microsoft Entra ID

Added the EAM session properties to the OIDC Claims Script in Advanced Identity Cloud

Updated the OIDC application in Advanced Identity Cloud

Whitelisted the EAM session properties

Imported and configured a sample journey

Updated the OAuth 2.0 Provider

Validation

Now that you have created and configured the EAM setup, validate the configurations.

Steps

  1. In a browser, go to https://myapps.microsoft.com.

  2. Sign in using the test user’s username and password.

  3. When prompted, select the external authentication method you configured.

  4. Choose your MFA method (this assumes the journey administrator has configured an MFA challenge).

Upon successful authentication, the user should be logged into Microsoft Entra ID.

Video of validation

The following video displays the expected flow from Microsoft Entra ID to Advanced Identity Cloud: