Microsoft Azure AD connector

This documentation refers to the Microsoft Azure Active Directory (Azure AD) integration. It explains how to protect your Azure AD applications with inWebo MFA. The inWebo Azure AD connector uses OpenID Connect.

Prerequisites

• Azure Directory account at a Premium level (P1 or P2)

• An inWebo account (could be a Trial Account)

• Register with inWebo to enable the inWebo Azure AD connector in your tenant

Configuring inWebo MFA to protect Azure AD

Azure AD uses the UPN (UserPrincipalName) attribute as a login for the authentication process. To communicate with inWebo, this requires the inWebo user logins to be in UPN format (e.g. nom.prenom@domain.dom). Please be careful when choosing the inWebo login to use for the exchange with Azure AD (see “Login type” parameter below).

Step 1: Creating a new inWebo Azure AD connector

• Connect as administrator to the inWebo administration console.

• Go to “Secure Sites” section.

• Choose to create a connector of type “OIDC Azure AD”.

• Fill in the fields to create your inWebo Azure AD Connector:

  

Connector name → Enter a chosen name / information to define the connector's goal in the administration console. The name of the connector will be used to create the secure site, so it will appear in the authentication context sentence.

Client ID → Enter the client ID. It allows the junction between the inWebo connector and the Azure AD custom control (when creating the custom control, the ClientID is mentioned in the JSON code).

Login Type → Select the login type to use during Azure AD user authentication process: user login, login 2 and user email.

Azure AD uses the UPN (UserPrincipalName) attribute as a login for the authentication process. To communicate with inWebo, this requires the inWebo user logins to be in UPN format (e.g. nom.prenom@domain.dom). The login type value must match the Azure AD UPN value.

• If the inWebo user logins match the Azure AD UPN, we suggest you to choose "login type= user login".

• If the inWebo user logins do not match the Azure AD UPN:

  • Option 1: Change the format of the inWebo users logins
    If it is still possible and without impact, we recommend that you change the format of your inWebo users logins to match the Azure AD UPN.

  • Option 2 (if option 1 is not possible): Use another inWebo login type (login 2 or user email)

    • “login 2”: the inWebo User emails must match the Azure AD UPN. Enter the UPN value in the “login 2 field” of user properties.
      Optional: the login 2 field is supported from IWDS 2.4. Please check your IWDS version. Then you should to edit the LDAP IWDS settings tab to associate the login 2 field with the value "userprincipalname". Once done, launch a synchronization so that all users have their login 2 field updated and usable for the inWebo Azure AD connector. See IWDS documentation

    • "user mail": the inWebo User emails must match the Azure AD UPN for all the users.
      Optional: if you are not sure that your AD users mails match the UPN format, edit the LDAP IWDS settings tab to associate the mail field with the value "userprincipalname” - See IWDS documentation

As there is no uniqueness constraint, several inWebo users can have the same email. If an email is associated to several inWebo user accounts, InWebo won’t be able to choose a specific user account for the login included in the exchange from Azure AD. In this case, the synchronization between Azure AD and inWebo will block for all affected user accounts. It is recommended to export the list of users from the administration console and check by sorting that there are no duplicates.

Client Secret → It is not used for the Azure AD connector (this value is defined for OpenID Connect standards).

Authentication URL → Select the default authentication method you have decided to provide to your users when accessing your secure content. Possible authentication page used by inWebo Azure AD connector:

• Helium - https://ult-inwebo.com/authentication-oidc/helium

• Virtual Authenticator (VA) - https://ult-inwebo.com/authentication-oidc/va - Note that Virtual Authenticator will be the first authentication option presented to users. They still can choose another authentication method, such as push to Authenticator (mobile/desktop) or OTP entry.

• mAccess Web - https://ult-inwebo.com/authentication-oidc/neon

• inWebo Authenticator App https://ult-inwebo.com/authentication-oidc/authenticator - Note that only Authenticator (mobile/desktop) will be presented to users as an authentication method

Client applications (mobile apps & desktop clients) and Web applications

For client applications, we do not recommend using Virtual Authenticator (VA) authentication method.

(examples of client applications: Outlook for windows/IOS/Android, Teams, native IOS/Android mail client)

• Why? The VA authentication method enrolls a web browser. When using VA for a client application, the enrolled web browser is actually a WebView embedded in the application.

→ the WebView evolution (the emulated browser type, compatibility, versions) in the application is unknown and not documented by the third party vendor.

→ a client application enrollment will not always be used by another application (meaning that each application will have to be enrolled).

• How to configure client and web applications with inWebo Azure AD connector? In order to have an optimal user experience of the inWebo Azure AD connector on both client and web applications, we recommend to create two connectors with different authentication URL settings. Then you should configure two policies in Azure AD to get a different authentication scenario depending on the application type (client or web app). Please, read the following documentation to know how to proceed → Specific Azure AD configurations for client apps and web apps

Custom claims → Check that the claim keys and values are present: InWeboMFa - Static value - MfaDone.

• Click on Add to create the Azure AD connector.

• A connector alias, a secure site alias and a discovery URL have been automatically generated. These elements are displayed on the top of the connector properties.

• Click on “Display json code for Azure custom control” at the bottom of the connector properties.

• Copy the json code: it should be used for Azure AD custom control (see “Step 2: Creating a new custom control in Azure AD” below).

{
  "Name": "Name of your AZURE service",
  "AppId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "ClientId": "xxxx openId client identifier xxxx",
  "DiscoveryUrl": "https://connect.myinwebo.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/.well-known/openid-configuration",
  "Controls": [
    {
      "Id": "RequireInWeboMfa",
      "Name": "RequireInWeboMfa",
      "ClaimsRequested": [
        {
          "Type": "InWeboMfa",
          "Value": "MfaDone",
          "Values": null
        }
      ],
      "Claims": null
    }
  ]
}

The "Id": "RequireInWeboMfa" and "Name": "RequireInWeboMfa" fields must be unique. They must not be used by other "custom control" mechanisms.
However, you can change the "Name" field to "RequireInWeboMfa service name"for a more meaningful display by adding the name of the related inWebo service for Azure AD.

Note that the associated secure site is automatically created after OIDC Azure AD connector creation (in Secure sites tab).

Step 2: Creating a new custom control in Azure AD

To add inWebo multi-factor authentication you have to create and configure an Azure AD custom control.

• As an Administrator, access your Microsoft Azure AD tenant with the Microsoft Azure Portal.

• Select "More Services", browse to "Identity" category and select "Azure AD Conditional Access".

• Select "Custom controls (preview)" in the Conditional Access menu.

  

• Click on the "+" at the top of the displayed page, next to "New Custom Control”.

• Delete the existing code displayed and paste the inWebo Json code provided by inWebo (see “Step1: Creating a new inWebo Azure AD connector” above).

  

• Click on "Create".

Step 3: Creating a new conditional access policy in Azure AD

You can control how authorized users can access your cloud apps.
The objective of a conditional access policy is to enforce additional access controls when a user attempts to access a cloud app, depending on how the access attempt is performed. You can control how authorized users can access your cloud apps.

• From the Microsoft Azure Portal, go to Azure Active Directory > Security > Conditional Access.

  

• Go to "Policies" in the left menu and click on "+ New policy".

  

• Name your new Policy i.e "inWebo policy"

• Assign impacted Users groups following your own specifications.

  

When testing it is recommended to not apply this policy on your own Administrator. Test it on a limited group of users at first to verify your authentication mechanism.

• Assign impacted apps following your own specifications.

  

• Under the "Access controls" section, select "Grant".

• At the top of the displayed page, select "Grant access".

• In the check-list,

  • Make sure "require Multi-factor authentication" is not checked (this is Microsoft MFA),

  • Scroll down and select the custom control ID you have created ("RequireInWeboMfa" in our exemple).

• Click on “Select”.

• Set the "Enable Policy" parameter to On.

• Click on “Create” to save the new policy.

Additional references

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/controls
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions