[PacketFence-users] Azure AD - MFA at registration

Sun, 27 Jun 2021 22:33:00 -0700 

Hi,

I would like to use SAML authentication on the captive portal to allow staff to 
register via MFA. From my understanding I need to obtain the username in a 
format that I can look up in the AD user authentication source.

The default username attribute in Packet Fence is 
'urn:oid:0.9.2342.19200300.100.1.1' but this doesn't work when I set Azure to 
return the on-premises AD account name.

My Google-Foo appears to be failing me, in finding a reference what I should 
set in PF for 'user.onpremisessamaccountname'.

I found references in an alternative format, such as: 
'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName' but I 
don't even appear to be able to type anything in to the UI interface:
[cid:image003.jpg@01D76A7A.520DCEF0]

When I click anywhere else it again displays the default...

Any idea?





The default Azure AD Single Sign-On SAML reply token is as follows:
In this Azure tenant the email address would be something like 
'j...@company.com'
[cid:image005.jpg@01D76A7A.520DCEF0]

I subsequently changed the Name identifier format to 'Windows domain qualified 
name' and the source attribute to 'user.onpermisessamaccountname':
In this Azure tenant the sAMAccountName would be something like 'joe.doe'
[cid:image007.jpg@01D76A7A.520DCEF0]


Herewith speed notes on what we did:
    Azure AD
      AzureAD Tenant Name (eg 'Company') \ Enterprise applications
        New application
          Create your own application
            Name  : PacketFence
            Option: Integrate any other application you don't find in the 
gallery (Non-gallery)
          Manage
            Properties
              Visible to users?                                 : No
            Users and groups
              Add group                                         : eg 'Company 
staff member'
            Single sign-on
              SAML
                SAML Signing Certificate
                  Retrieve Certificate (Base64)                   : Save as 
/usr/local/pf/conf/ssl/azuread-company-idp.crt
                  Retrieve XML                                  : Save as 
/usr/local/pf/conf/saml-azuread-metadata.xml
                Basic SAML Configuration
                  Identifier (Entity ID)                         : 
https://pf.company.com
                  Reply URL (Assertion Consumer Service URL)       : 
https://pf.company.com/saml/assertion
    Create private key and certificate (for PacketFence as an Azure AD client):
      cd /usr/local/pf/conf/ssl;
      openssl req -x509 -newkey rsa:4096 -keyout azuread-client.key -out 
azuread-client.pem -days 1825 -nodes;
        # Common Name (e.g. server FQDN or YOUR name) []           : 
pf.company.com
      chown pf.pf azuread-*;
      chmod 664 azure*;
    Azure AD
      AzureAD Tenant Name (eg 'Company') \ Enterprise applications
        PacketFence
          Security
            Token encryption
              Import Certificate (/usr/local/pf/conf/ssl/azuread-client.pem)
              Select imported certificate, then 'Activate token encryption'
    PacketFence \ Configuration \ Policies and Access Control \ Authentication 
Sources
      New internal source - SAML
        Name                                                   : 
companyad_azure_users
        Description                                            : Company Azure 
AD - Users
        Service Provider entity ID                               : 
https://pf.company.com
        Path to Service Provider key (x509)                       : 
/usr/local/pf/conf/ssl/azuread-client.key
        Path to Service Provider cert (x509)                      : 
/usr/local/pf/conf/ssl/azuread-client.pem
        Identity Provider entity ID                              : 
https://sts.windows.net/afc2f870-1eaf-4192-8ff8-cdba06632214/         # Random 
documentation UUID, not real
        Path to Identity Provider metadata                       : 
/usr/local/pf/conf/saml-azuread-metadata.xml
        Path to Identity Provider cert (x509)                     : 
/usr/local/pf/conf/ssl/azuread-company-idp.crt
        Path to Identity Provider CA cert (x509)                  : 
/usr/local/pf/conf/ssl/azuread-company-idp.crt
        Username Attribute                                      : 
urn:oid:0.9.2342.19200300.100.1.1
        Authorization source                                    : 
companyad_users
        View Service Provider Metadata
          entityID     : https://pf.company.com                          # This 
is where the information for the Basic SAML 'Identifier' comes from
          AssertionURL : https://pf.company.com/saml/assertion            # 
This is where the information for the Basic SAML 'Reply URL' comes from

    Packet Fence \ Configuration \ Network Configuration \ Networks \ Fencing
      Passthrough Domains:
        
aadcdn.msauth.net,aadcdn.msftauth.net,in.appcenter.ms,login.live.com,login.microsoftonline.com,login.windows.net,mobileappcommunicator.auth.microsoft.com,sts.windows.net


Regards
David Herselman

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to