Microsoft ImmutableID Integration

Description

This article describes a new feature for LDAP attributes allowing to import binary attributes to Sentry (version 4.1.2). This allows access to Office 365 application that require Azure integrated with AD. In addition to it, any other Microsoft objects can be used and integrated with Single Sign-On Portal. Learn more about ImmutableId attribute and Azure AD in Microsoft Documentation.

Configuration for Azure AD Connect Synchronisation

It is assumed that Azure Active Directory is configured and in sync with with Acitve Directory. For further information on how to configure Azure AD Connect, check the official Microsoft documentation.

Configuration for Azure AD Connect Synchronisation

In order to use Sentry for Azure users authentication, you need to enable federated authentication on the Azure domain you are using. This applies to the entire domain: you can’t enable federated authentication for some users and standard (or “managed”) authentication for others. If you have multiple domains in a single Azure account, however, you can (and must) enable federated authentication for each domain separately.

The domain(s) that you use for federated authentication cannot be the primary domain, and they cannot be managed by Azure - you must manage them yourself. They must also have been verified within Azure.

The procedure below uses Microsoft PowerShell to configure Azure. It assumes you have the MSOnline powershell library installed. Note that it must be the older version referenced here. The new Azure AD module doesn’t have the cmdlets referenced by the following script. If you need to install it, use the following command:

Install-Module -Name MSOnline

You should open a PowerShell command prompt with administrator privileges to carry this out. We are assuming that you are executing these commands interactively, but if you are sufficiently familiar with PowerShell, you can run it as a single script.

It is assumed that the domain you are going to federate has already been created and validated: managing this is outside the scope of this document.

First of all, connect to Azure:

Connect-MsolService

This command will prompt you for the username and password of your Azure account. The following 3 lines need to be customized to match your environment:

Replace <my.domain.com> in the following line with the actual domain that you want to enable federated authentication on.

$domainName="<my.domain.com>"

Replace <my.sentry.com> with the host name (and port if required) of your Swivel Secure Sentry server.

$sentryUri="https://<my.sentry.com>/sentry"

Replace <my brand name> with the display name of your domain.

$brandName="<my brand name>"

The above line is optional - you could simply use:

$brandName = $domainName

The following section extracts metadata from the Sentry server. It will only work if you can connect to your Sentry server without certificate errors. If you cannot do this, you will have to set $issuerUri and $cert by extracting them directly from the metadata: contact Swivel Secure support desk for help on this.

$metadataUri=$sentryUri + "/metadata/generatedMetadata.xml"
$metadata=[xml](Invoke-WebRequest -Uri $metadataUri).Content
$metadataRoot = $metadata.EntityDescriptor
$issuerUri = $metadataRoot.entityID
$cert = $metadataRoot.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate -replace '\s',''

The next two URIs are derived from the Sentry URI:

$logonUri = $sentryUri + "/saml20endpoint"
$logoffUri = $sentryUri + "/singlelogout"

Finally, now we have all the information, we can enable federated authentication.

Set-MsolDomainAuthentication -DomainName $domainName -Authentication Federated -IssuerUri $issuerUri -FederationBrandName $brandName -LogOffUri $logoffUri -PassiveLogOnUri $logonUri -SigningCertificate $cert -PreferredAuthenticationProtocol "SAMLP" -MetadataExchangeUri $metadataUri

Note

Make sure that the above is pasted all in one line.

It may take a while for the configuration changes to propagate, so don’t worry if you don’t get the expected results immediately. To check that the settings have been applied, use the following command:

Get-MsolDomainFederationSettings -DomainName $domainName

If you get no response, the domain is still using managed authentication.

Configuration for Sentry Repository

Integration between Azure AD and Sentry SSO Portal requires to map an attribute name followed by ;binary. Attributes imported this way will be stored as based64-encoded data. Create a Sentry attribute named “immutableid” (or whatever is prefered) and map it to objectGUID;binary in the Active Directory repository. Then import the users into the Sentry database with User Sync.

_images/attribute.gif

Configuration for Sentry SSO Portal

Log into Sentry using the Admin Login button, and locate the Applications page. Click on Applications then Add Application and select SAML - Other.

_images/sso1.png _images/sso2.png

User from Azure synchronised with mapped binary attribute.

_images/usersync.png

SSO Login Page

_images/ssologinpage.png

Microsoft Validation

_images/msvalidation.png

Successful Login

_images/loginok.png