Microsoft Azure AD - Enabling conditional access with inWebo OpenID

Introduction

It is highly advisable to add additional security and verification to the access of your organization's critical applications (such as financial and employee data apps, intellectual property storage apps and so on). With the inWebo Azure Active Directory plugin inWebo authentication can be used to provide strong verification for your applications' access by adding a conditional access policy to your Azure Active Directory.

Prerequisites

  • Azure Directory account at a Premium level (P1 or P2)

  • An inWebo account (could be a Trial Account)

  • Register with inWebo to enable the inWebo Azure AD connector in your tenant

Configuring inWebo MFA to protect Azure AD

Step 1: Creating a new inWebo Azure AD connector

  • Connect as administrator to the inWebo administration console.

  • Go to section “Secure Sites” section.

  • Choose to create a connector of type “OIDC Azure AD”.

  • Fill in the fields to create your inWebo Azure AD Connector:

Setting

Description

Connector name

Enter a chosen name / information to define the connector's goal in the administration console. The name of the connector will be used to create the secure site, so it will appear in the authentication context sentence.

Client ID

Enter the client ID. It allows the junction between the inWebo connector and the Azure AD custom control (when creating the custom control, specifies the ClientID in the JSON code).

Login Type

Azure AD uses the UPN (UserPrincipalName) attribute as a login for authentication process. The login type must match the UPN sent from Azure AD.

Select the login type to use during Azure AD user authentication process. As the login type must match the UPN, you have 3 options:

  • user login → select this login type if the inWebo User login matches the Azure AD UPN.

  • user email → select this login type if the inWebo User email matches the Azure AD UPN.

  • login 2 → select this login type and enter the UPN value in the “login 2 field” of user properties.

Client Secret

It is not used for the Azure AD (this value is defined for OpenID Connect standards).

Authentication URL

Select the type of authentication mode you have decided to provide to your users when accessing your secure content ( (with VA, Helium, mAccess Web or Authenticator App). It provides the user with a first mode of authentication on arrival but is not exclusive as other modes are still available.

For all connectors created before April 15, 2021, the authentication page is one of the following:

- Helium - //www.myinwebo.com/authentication-oidc/helium

- Virtual Authenticator - //www.myinwebo.com/authentication-oidc/va

- mAccess Web - //www.myinwebo.com/authentication-oidc/neon

- inWebo Authenticator App //www.myinwebo.com/authentication-oidc/authenticator

 

For connectors created after April 15, 2021, the authentication page is one of the following:
- Helium - https://ult-inwebo.com/authentication-oidc/helium

- Virtual Authenticator - https://ult-inwebo.com/authentication-oidc/va

- mAccess Web - https://ult-inwebo.com/authentication-oidc/neon

- inWebo Authenticator App https://ult-inwebo.com/authentication-oidc/authenticator

Note: We recommend for all connectors created before April 15, 2021, to modify the URL of the authentication page in order to use the ult-inwebo.com domain as described above.

Custom claims

Check that the claim keys and values are present: InWeboMFa - Static value - MfaDone.

  • Click on Add to create the Azure AD connector.

  • A connector alias, a secure site alias and a discovery URL have been automatically generated. These elements are displayed on the top of the connector properties.

  • Click on “Display json code for Azure custom control” at the bottom of the connector properties.

  • Copy the json code: it should be used for Azure AD custom control (see “Step 2: Creating a new custom control in Azure AD” below).

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 { "Name": "Name of your AZURE service", "AppId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "ClientId": "xxxx openId client identifier xxxx", "DiscoveryUrl": "https://connect.myinwebo.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/.well-known/openid-configuration", "Controls": [ { "Id": "RequireInWeboMfa", "Name": "RequireInWeboMfa", "ClaimsRequested": [ { "Type": "InWeboMfa", "Value": "MfaDone", "Values": null } ], "Claims": null } ] }

 

The "Id": "RequireInWeboMfa" and "Name": "RequireInWeboMfa" fields must be unique. They must not be used by other "custom control" mechanisms.
However, you can change the "Name" field to "RequireInWeboMfa service name"for a more meaningful display by adding the name of the related inWebo service for Azure AD.

 

Note that the associated secure site is automatically created after OIDC Azure AD connector creation (in Secure sites tab).

There is a specific and mandatory secure site configuration for Azure AD secure site generated as of April 15, 2021 (see below).

Create a second secure site of “OIDC Azure AD” type with the following parameters:

The Called URL parameter has to be set to https://www.ult-inwebo.com/authentication-oidc/va (for example using the va page).

Step 2: Creating a new custom control in Azure AD

To add inWebo multi-factor authentication you have to create and configure a Azure AD custom controls.

  • As an Administrator, access your Microsoft Azure AD tenant with the Microsoft Azure Portal.

  • Select "More Services", browse to "Identity" category and select "Azure AD Conditional Access".

  • Select "Custom controls (preview)" in the Conditional Access menu.

  • Click on the "+" at the top of the displayed page, next to "New Custom Control”.

  • Delete the existing code displayed and paste the inWebo Json code provided by inWebo (see “Step1: Creating a new inWebo Azure AD connector” above).

  • Click on "Create".

Step 3: Creating a new conditional access policy in Azure AD

You can control how authorized users can access your cloud apps.
The objective of a conditional access policy is to enforce additional access controls when a user attempts to access a cloud app, depending on how the access attempt is performed. You can control how authorized users can access your cloud apps.

  • From the Microsoft Azure Portal, go to Azure Active Directory > Security > Conditional Access.

  • Go to "Policies" in the left menu.

  • Click on the "+ New policy".

  • Name your new Policy i.e "inWebo Authentication"

  • Assign impacted Users groups following your own specifications.
    (When testing it is recommended to not apply this policy on your own Administrator. Test it on a limited group of users at first to verify your authentication mechanism).

  • Assign impacted apps following your own specifications.

  • Under the "Access controls" section, select "Grant".

  • At the top of the displayed page, select "Grant access".

  • Make sure "require Multi-factor authentication" is not checked (this is Microsoft MFA),

  • in the check-list,

    • Make sure "require Multi-factor authentication" is not checked (this is Microsoft MFA),

    • Scroll down and select the custom control ID you have created ("RequireInWeboMfa" in our exemple).

  • Click on “Select”.

  • Set the "Enable Policy" parameter to On.

  • Click on “Create” to save the new policy.

Additional references

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/controls
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions