Microsoft ImmutableID Integration¶
Description¶
This article describes a new feature for LDAP attributes allowing to import binary attributes to Sentry (version 4.1.2). This allows access to Office 365 application that require Azure integrated with AD. In addition to it, any other Microsoft objects can be used and integrated with Single Sign-On Portal. Learn more about ImmutableId attribute and Azure AD in Microsoft Documentation.
Configuration for Azure AD Connect Synchronisation¶
It is assumed that Azure Active Directory is configured and in sync with with Acitve Directory. For further information on how to configure Azure AD Connect, check the official Microsoft documentation.
Configuration for Azure AD Connect Synchronisation¶
In order to use Sentry for Azure users authentication, you need to enable federated authentication on the Azure domain you are using. This applies to the entire domain: you can’t enable federated authentication for some users and standard (or “managed”) authentication for others. If you have multiple domains in a single Azure account, however, you can (and must) enable federated authentication for each domain separately.
The domain(s) that you use for federated authentication cannot be the primary domain, and they cannot be managed by Azure - you must manage them yourself. They must also have been verified within Azure.
The procedure below uses Microsoft PowerShell to configure Azure. It assumes you have the MSOnline powershell library installed. Note that it must be the older version referenced here. The new Azure AD module doesn’t have the cmdlets referenced by the following script. If you need to install it, use the following command:
Install-Module -Name MSOnline
You should open a PowerShell command prompt with administrator privileges to carry this out. We are assuming that you are executing these commands interactively, but if you are sufficiently familiar with PowerShell, you can run it as a single script.
It is assumed that the domain you are going to federate has already been created and validated: managing this is outside the scope of this document.
First of all, connect to Azure:
Connect-MsolService
This command will prompt you for the username and password of your Azure account. The following 3 lines need to be customized to match your environment:
Replace <my.domain.com> in the following line with the actual domain that you want to enable federated authentication on.
$domainName="<my.domain.com>"
Replace <my.sentry.com> with the host name (and port if required) of your Swivel Secure Sentry server.
$sentryUri="https://<my.sentry.com>/sentry"
Replace <my brand name> with the display name of your domain.
$brandName="<my brand name>"
The above line is optional - you could simply use:
$brandName = $domainName
The following section extracts metadata from the Sentry server. It will only work if you can connect to your Sentry server without certificate errors. If you cannot do this, you will have to set $issuerUri and $cert by extracting them directly from the metadata: contact Swivel Secure support desk for help on this.
$metadataUri=$sentryUri + "/metadata/generatedMetadata.xml"
$metadata=[xml](Invoke-WebRequest -Uri $metadataUri).Content
$metadataRoot = $metadata.EntityDescriptor
$issuerUri = $metadataRoot.entityID
$cert = $metadataRoot.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate -replace '\s',''
The next two URIs are derived from the Sentry URI:
$logonUri = $sentryUri + "/saml20endpoint"
$logoffUri = $sentryUri + "/singlelogout"
Finally, now we have all the information, we can enable federated authentication.
Set-MsolDomainAuthentication -DomainName $domainName -Authentication Federated -IssuerUri $issuerUri -FederationBrandName $brandName -LogOffUri $logoffUri -PassiveLogOnUri $logonUri -SigningCertificate $cert -PreferredAuthenticationProtocol "SAMLP" -MetadataExchangeUri $metadataUri
Note
Make sure that the above is pasted all in one line.
It may take a while for the configuration changes to propagate, so don’t worry if you don’t get the expected results immediately. To check that the settings have been applied, use the following command:
Get-MsolDomainFederationSettings -DomainName $domainName
If you get no response, the domain is still using managed authentication.
Configuration for Sentry Repository¶
Integration between Azure AD and Sentry SSO Portal requires to map an attribute name followed by ;binary. Attributes imported this way will be stored as based64-encoded data. Create a Sentry attribute named “immutableid” (or whatever is prefered) and map it to objectGUID;binary in the Active Directory repository. Then import the users into the Sentry database with User Sync.
Configuration for Sentry SSO Portal¶
Log into Sentry using the Admin Login button, and locate the Applications page. Click on Applications then Add Application and select SAML - Other.
User from Azure synchronised with mapped binary attribute.
SSO Login Page
Microsoft Validation
Successful Login