Appendix D. Using Microsoft Entra ID as an external identity provider for Sentinet Management Console authentication

1. Use Azure Portal to create an enterprise application (https://portal.azure.com)

2. Go to Microsoft Entra ID resource (navigate from the leftmost menu).

3. Go to Manage\Enterprise application pane.

4. Go to Manage\All applications pane.

5. Click + New application menu.

6. Click + Create your own application menu.

7. In the right pane, enter the application name and click Create button.

   

8. In the newly created enterprise application pane, go to Manage\Single sign-on pane.

9. Click on the SAML single sign-on method card.

   

10. Click the Edit button in the Basic SAML Configuration section.

11. In the right pane, add Identifier (Entity ID): click the Add identifier link and enter the value into a text box. For simplicity, we recommend using the Sentinet URL as an identifier.

12. Add Reply URL (Assertion Consumer Service URL): click the Add reply URL link and enter the value into a text box. The value must be the absolute URL to the Sentinet root folder.

    

13. Click the Save button and close the right pane by clicking on X in the top-right corner.

14. Review the application settings.

    

    a. From the SAML Certificates section, capture the token signing certificate Thumbprint. Also, download the signing certificate (either Base64 or Raw) and place in the Sentinet Repository server’s Local Machine\Trusted Root CA certificate store. You may also disable the certificate validation on the Sentinet side if you don’t want to deal with the certificate store, but this is not recommended.

    b. From the SAML Certificates section, download and review Federation Metadata XML. Capture the token endpoint address from the <SecurityTokenServiceEndpoint/> element. Review the available claims in the <ClaimTypesOffered/> element.

15. Open and modify the Sentinet Repository web.config as advised below.

16. Disable Forms authentication:

    /configuration/system.web/authentication[@mode=”None”]
    

17. Enable WS-Federation and Session Authentication Modules by uncommenting the elements:

    /configuration/system.webServer/modules/add[@name="WSFederationAuthenticationModule"]
    
    and
    
    /configuration/system.webServer/modules/add[@name="SessionAuthenticationModule"]
    

18. Uncomment <trustedIssuers> section and add the trusted token issuer under /configuration/system.identityModel/identityConfiguration/issuerNameRegistry

    <trustedIssuers>
      <add name="AzureAD" thumbprint="<thumbprint of the signing certificate>" />
    </trustedIssuers>
    

19. To control how the token issuing certificate will be validated (or disable validation completely) update the element /configuration/system.identityModel/identityConfiguration/certificateValidation

    <certificateValidation revocationMode="NoCheck" trustedStoreLocation="LocalMachine"
        certificateValidationMode="None"/>
    

20. Add the trusted token audience under /configuration/system.identityModel/identityConfiguration

    <audienceUris mode="Always">
      <add value="<entity identifier>"/>
    </audienceUris>
    

21. Enable WS-Passive Federation authentication by uncommenting and updating the element /configuration/system.identityModel.services/federationConfiguration/wsFederation

    <wsFederation passiveRedirectEnabled="true" freshness="36000"
      issuer="<token endpoint address>"
      realm="<entity identifier>"
      reply="<Sentinet Repository root URL/Reply URL>" />
    

22. Specify the claim type to be used for user matching by updating the element /configuration/nevatech.vsb.repository/security/claimsAuthentication

    <claimsAuthentication claimType="<claim type>" claimIssuer="AzureAD"/>
    

    Typical claim types are:

    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    • http://schemas.microsoft.com/identity/claims/objectidentifier
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    • http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

23. The summarized configuration changes are shown below

    <configuration>
    <system.web>
        <authentication mode="None" />
    </system.web>
    <system.webServer>
        <modules>
            <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
            <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    
    ...
    
        </modules>
    </system.webServer>
    <system.identityModel>
        <identityConfiguration>
            <certificateValidation revocationMode="NoCheck" trustedStoreLocation="LocalMachine"
                certificateValidationMode="None"/>
            <issuerNameRegistry type="Nevatech.Vsb.Repository.Security.CustomIssuerNameRegistry, Nevatech.Vsb.Repository, Version=6.0.0.0, Culture=neutral, PublicKeyToken=f35d905149dcb6c0">
                <trustedIssuers>
                    <add name="AzureAD" thumbprint="<thumbprint of the signing certificate>" />
                </trustedIssuers>
            </issuerNameRegistry>
            <audienceUris mode="Always">
                <add value="https://localhost/sentinet/"/>
            </audienceUris>
    
    ...
    
        </identityConfiguration>
    </system.identityModel>
    <system.identityModel.services>
        <federationConfiguration>
            <wsFederation passiveRedirectEnabled="true" freshness="36000"
                    requireHttps="true"
                    issuer="<token endpoint address>"
                    realm="https://localhost/sentinet/"
                    reply="https://localhost/sentinet/" />
        </federationConfiguration>
    </system.identityModel.services>
    <nevatech.vsb.repository>
        <security>
            <claimsAuthentication
                claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
                claimIssuer="AzureAD"/>
        </security>
    </nevatech.vsb.repository>
    </configuration>
    

24. Test the solution by navigating to Sentinet Repository root. You should be redirected to the Entra ID login page and, after successful authentication, be redirected back to Sentinet "Access denied" page.

25. Review the available user’s claims by navigating to <Sentinet root>/whoami.aspx page. The selected user identifier claim value will be highlighted in green. Copy the claim's value.

26. (!) The following steps assume you have access to Sentinet via different means or through an already configured administrative account with a mapped external identity claim. If you don't then the above configuration should be rolled back to Forms authentication.

    Create a new user or select an existing user that needs to be able to authenticate with Entra ID identity.

27. Above the "User identities" grid, click "+ Add" to add new identity.

28. In the "Add Identity" dialog, select "Claim" and click "Next".

29. Type the previously captured user identity claim value into the "Claim Value" text box and click "Finish".

30. Click “Save” button to save the user changes.

    

Useful Links

https://chris.59north.com/post/Configuring-an-ASPNET-site-to-use-WS-Federation

https://medium.com/the-new-control-plane/using-an-azure-ad-enterprise-application-via-ws-federation-6f20751392ba