Microsoft Entra ID

Microsoft Entra ID only accepts HTTPS protocol, please follow steps described in Enabling HTTPS to enable HTTPS first on MetaDefender Core.

Entra ID - Using SAML 2.0

Register a new application on Azure

  1. Access Azure portal and login.
  2. In Home page, select Microsoft Entra ID under Azure services.
  1. Select Enterprise applications on the left sidebar
  1. In All applications page, hit New application
  1. In Browse Azure AD Gallery page, search for "Microsoft Entra SAML Toolkit" then hit on Microsoft Entra SAML Toolkit in result panel.
  1. Fill Name, MDCore-SAML for example, and hit Create on right sidebar.
  1. Navigate Single sign-on on left sidebar and hit SAML.
  1. Navigate to the item of SAML Certificates, hit the copy button at the right most of App Federation Metadata Url and store as metadata_uri.
  1. Navigate to Users and groups on left sidebar, hit Add user/group.
  1. On Add Assignment screen, hit Non Selected and add users who are allowed to login to the app, then hit Select on the right panel.
  1. Finally, hit Assign to complete.

Create SAML directory on MetaDefender Core

  1. Login to MetaDefender Core management console.
  2. At dashboard, hit User Management in sidebar.
  3. Under User Management page, choose Directories tab and hit Add directory on the top right.
  1. In Add Directory page, choose SAML in Directory Type, fill Name for the new directory, MDCore-SAML for example and hit Fetch URL
  1. Paste the uri stored in metadata_uri to the box under Fetch URL, then hit OK for MetaDefender Core to set Microsoft Entra ID as its IDP.
  1. Under section Service Provider, fill Host or IP where MetaDefender Core is hosted, https://127.0.0.1:8008 in this example.
  2. Copy the Login URL and store in reply_uri in the later steps below.

Complete configuration on Entra ID

  1. Switch back to Microsoft Entra ID, on SAML-based Sign-on page, navigate to Basic SAML Configuration and hit Edit on the top right.
  1. Navigate to Identifier (Entity ID) on the right sidebar, hit Add identifier, then fill an unique ID to identify MDCore, MDCore-SAML for an example. Store the identifier to identifier.
  2. Navigate to Reply URL (Assertion Consumer Service URL), hit Add reply URL and fill the URI stored in reply_uri to the new created box, then hit Save
  1. Navigate to Attributes & Claims, then hit Edit
  1. In Attributes & Claims page, navigate to Additional claims, click on any item under Claim name to change its name.
  1. Change claim Name, set Namespace empty and hit Save to complete. In this example, claim name is changed to given_name which will be used later to identify logged-in user on MetaDefender Core.

If the names of attributes and claims provided by Azure are good enough, recommended to be used directly to identify logged-in user in MetaDefender Core.

Complete configuration on MetaDefender Core

  1. Switch back to MDCore, under Service Provider, select Use custom entity ID and paste value in identifier into, MDCore-SAML in this example.
  2. Fill user identity under User identified by, ${given_name} is used in this example.

If the namespace is not removed from claim name in step 6 of previous section, the full claim name with namespace included must be used here to build identification for user.

For example, if the claim of http://schemas.xmlsoap.org/ws/2005/05/identitity/clams/given_name is added to Entra ID, then ${http://schemas.xmlsoap.org/ws/2005/05/identitity/clams/given_name} is used by MetaDefender Core to build up user identification.

  1. Select correct role for the user under User Role
  2. Hit Add to complete settings.
  1. In User Management screen of MDCore, toggle the new directory, MDCORE-SAML in this example. A dialog box is shown to confirm the action. Once Enable is hit, all sessions are expired immediately.

Test the integration

  1. At the home screen on MetaDefender Core, hit Login, the user is redirected to login page from Microsoft Entra ID.
  1. Login by the account registered to Entra ID.

  2. If everything goes right, MetaDefender Core dashboard is displayed with user identity at the top right corner.

  3. Otherwise, access back login page at <mdcore-host>#/public/backuplogin for trouble shooting.

Setup pseudo IdP-initiated SSO

Microsoft Entra ID does not support Idp-initiated SSO in the same way as other Identity Providers. It actually accesses the login page of its SP and do initiating SSO login from there, so basically, it is SP-initiated.

  1. Login to Azure management page.
  2. Navigate section Azure services, hit Microsoft Entra ID.
  1. On the left sidebar, click Enterprise applications
  1. Pick Azure AD SAML Toolkit on the list of enterprise applications.
  1. Select Single sign-on on the left sidebar, navigate to Basic SAML Configuration section and hit Edit on the top right of the section.
  1. In Basic SAML Configuration right sidebar, insert Core login URL into the field under Sign on URL.
  1. Hit Save to complete.

Test IdP-initiated SSO

  1. Login to Azure management page.

  2. Navigate section Azure services, hit Microsoft Entra ID.

  3. On the left sidebar, click Enterprise applications.

  4. Pick Azure AD SAML Toolkit on the list of enterprise applications.

  5. Navigate to tab Properties.

  1. Copy the URL next to User access URL.
  2. Paste the copied URL to browser and do login.
  1. If everything goes right, MDCore dashboard is shown with user identity set at the top right corner.
  1. Otherwise, access back login page at <mdcore-host>#/public/backuplogin for trouble shooting.

Entra ID - Using OpenID Connect

Register a new application on Azure

  1. Access Azure portal and login.
  2. In Home page, select Microsoft Entra ID under Azure services.
  1. Select App registrations under Manage section on the left sidebar, then click on New registration on the top menu bar.
  1. In Register an application page, fill in Name for new application, "MDCore-OIDC" in this example, and hit Register to complete.
  1. Select Token configuration on left sidebar, hit Add optional claim, choose ID on the right sidebar, enable essential claims (given_name in this example) and hit Add at the bottom.
  1. Click Add on the popup to complete.

Enabled claims will be used later by MetaDefender Core to identify logged-in user.

Create OIDC directory on MetaDefender Core

  1. Login to MetaDefender Core.

  2. At dashboard, hit User Management in sidebar.

  3. Under User Management page, choose Directories tab and hit Add directory on the top right.

  1. In Add Directory page, choose OIDC in Directory Type

  2. Fill Name of the new directory, MDCore-OIDC for example.

  3. Under section Service Provider, fill Host or IP where MDCore is hosted, https://127.0.0.1:8008 for this example.

  4. Copy the Login URL and store somewhere for later use.

Complete configuration on Entra ID

  1. Back to Entra ID, on MDCore-OIDC page, pick Overview section on left sidebar and hit on Add a Redirect URI link to switch to Authentication page.
  1. In Authentication page, hit Add a platform and choose Web option on right sidebar.
  1. ill Redirect URIs with the Login URL copied from MDCore, enable Access tokens option and hit Configure
  1. Pick Overview on left sidebar again, copy the string next to Application (client) ID and store as client_id
  1. Hit Endpoints on the top bar, copy the uri under OpenID Connect metadata document on the right sidebar and store as metadata_uri
  1. Pick Certificates & secrets on left sidebar, in Client secrets (0) tab, hit New client secret, fill secret Description and set Expires and, then hit Add to complete.
  1. A new client secret is created under Client secret (1) tab, copy the string under Value column and store it as client_secret

Entra ID will hide the client secret completely when page Certificate & secrets is left. Administrator is recommended to store the client secret in a safe place, otherwise they have to create a new one.

Complete configuration on MetaDefender Core

  1. Switch to MDCore, under section Identity Provider, hit on Fetch URL and paste metadata_uri gathered in Configure Azure stage to the box under Fetch URL and hit OK to ensure MetaDefender Core can set Microsoft Entra ID as its IdP.
  1. Under section Service Provider, paste client_id and client_secret gathered in Configure Azure stage to Client ID and Client secret respectively.
  1. Fill user identity under User identified by, ${given_name} is used in this example.
  2. Pick Default role option and select correct role for the user under User Role
  3. Hit Add to complete settings
  1. In User Management screen of MDCore, toggle the new directory, MDCORE-OIDC in this example. A dialog box is shown to confirm the action. Once Enable is hit, all sessions are expired immediately.

Test the integration

  1. In home screen on MetaDefender Core, hit Login, the user is redirected to login page from Microsoft.
  1. Login by the registered account.
  2. If everything goes right, MDCore dashboard is shown with user identity set at the top right corner.
  1. Otherwise, access back login page at <mdcore-host>#/public/backuplogin for troubleshooting.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard