Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. Azure AD helps your employees sign in and access internal and external resources.
Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.
Acceptto MFA for Azure Active DirectoryTM enables strong authentication and secure access via SAML to protect your user accounts and your data without exchanging usernames and passwords.
An Acceptto Appliance connected to your user directory.
The user population that is going to be authenticated via SAML must be enrolled in the It’s Me Application.
A user with administrative privileges for the Acceptto Appliance.
A MicrosoftTM Azure Active Directory Account with Global Admin privileges
All the Azure Active Directory users that will be authenticated via SAML must have an immutableID set. To identify which users may not have an immutableID set run the following PowerShell™ command (Make sure you have the MSOnline PowerShell module installed via “Install-Module -Name MSOnline” and connect to your Azure instance via “Connect-MsolService” command):
Get-MsolUser -All | Select-Object UserprincipalName,ImmutableID UserPrincipalName ImmutableId ----------------- ----------- User1@example.com 123ABC45-67EF-90GH-12IJ-34KL56MN7890P User2@example.com
Make sure you have the latest WMF (Windows management framework) installed. You can check the version of your PowerShell with this command:
"Get-Host | Select-Object Version"
Users that do not show an immutableID such as User2@example.com, will not be able to login using SAML. To change the ImmutableID for specific users run the following PowerShell command (replace UserPrincipalName with the affected user UserPrincipalName, e.g., firstname.lastname@example.org):
$guid = New-Guid Set-MSOLUser -UserPrincipalName UserPrincipalname -ImmutableID $guid
Acceptto SAML Configuration as Identity Provider (IdP)
- Login to the Acceptto Appliance admin panel with an administrative account and go to Applications.
- Create a new application by selecting the Create New Application.
- In the Add Application dialog, enter the following values:
App Name - The application name displayed in the admin panel and application portal (e.g., Microsoft Azure).
Issuer or Entity ID – The Issuer/EntityID of your Azure AD instance (e.g., urn:federation:MicrosoftOnline).
Sign in URL - The URL used to login to your Azure AD instance (e.g., https://login.microsoftonline.com/login.srf).
Metadata URL - The URL containing metadata about your AzureAD instance (e.g., https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml).
- Click Save to create the Application.
- Select the Show ID Provider Data and copy the information shown on this page. Make sure you edit (delete the breaks) the certificate in such a way to have it as a single line.
Configure Azure Active Directory as a Service Provider (SP)
Run PowerShell as an administrator and connect to your Azure instance with the command below. You need to login with your Azure Global Admin account.
Retrieve all domains for the company (verified or unverified) to identify the domain which should be federated.
Run the following script in a PowerShell environment (most of values come from earlier section “Configure the Acceptto Identity Provider”, item 5):
# The domain you want to authenticate against SAML(mandatory) $domain="example.com" # Identify who your IdP is $BrandName = "Acceptto SAML IDP" # Logon URL (mandatory) $LogOnUrl = "https://saml.acceptto.com/saml/auth" # Logoff URL (mandatory) $LogOffUrl = "https://saml.acceptto.com/saml/logout" # The IdP Certificate. Note the use of @ to make it a raw text variable. $SigningCert = "Copy your Acceptto Appliance SAML signing certificate got earlier in one single line, here" # The issuer URI. $uri = "https://saml.acceptto.com/saml" $Protocol = "SAMLP"
The whole command looks like the following, a successful run of the command should not return any errors.
Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $BrandName -Authentication federated -PassiveLogOnUri $LogOnUrl -SigningCertificate $SigningCert -IssuerUri $uri -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol
To verify if the domain is configured to use SAML, use the following command:
Get-MsolDomainFederationSettings -domainname example.com | fl *
The output should be similar to the following and must show the same values as used in the script variables above.
ExtensionData : System.Runtime.Serialization.ExtensionDataObject ActiveLogOnUri : DefaultInteractiveAuthenticationMethod : FederationBrandName : acceptto.com IssuerUri : https://saml.acceptto.com/saml LogOffUri : https://saml.acceptto.com/saml/logout MetadataExchangeUri : NextSigningCertificate : OpenIdConnectDiscoveryEndpoint : PassiveLogOnUri : https://saml.acceptto.com/saml/auth PasswordChangeUri : PasswordResetUri : PreferredAuthenticationProtocol : Samlp PromptLoginBehavior : SigningCertificate : MII 79701424009245946274090644119698913542736738414383197137136495653488597823440743026907540474162173229890086677980241691766203566484177525691391892547529556572165857639252331212281503088199745189921112D= SigningCertificateUpdateStatus : SupportsMfa :
Test your setup
- Go to the Azure or Office 365 portal. You will be redirected to the Acceptto SAML page.
- After successful authentication, you’ll see the Acceptto MFA options, select your desired method. Then, pass the verification stage on your It’sMe mobile app.
- Finally, you will be redirected to your Azure/Office 365 landing page.
If you receive an error page, like:
Acceptto branded web page such as below then check if your username and password are correct. If after checking your credentials, it still fails to log you in, please contact our support.
An Azure branded error webpage such as below, check that the script you run exactly matches the values you obtained from the Acceptto IdP. Correct any discrepancies and rerun the script.
If an Azure branded error webpage stills appears, then you can revert the domain to a managed domain. To do this, open a Powershell console, login to Azure as the managed domain user and type the following command. If the command is successful, there is no output.
Set-MsolDomainAuthentication -DomainName example.com -Authentication “managed”
If you require assistance, please email us at email@example.com
Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the Acceptto Corporation.
Azure, PowerShell, Microsoft, and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.