Overview & Concepts
Overview and Concepts
Building a Unified IAM Infrastructure
In large organizations, consolidating Identity and Access Management (IAM) systems from different vendors across various locations is a daunting and often impractical task. This is especially challenging for corporate groups and companies that frequently acquire new subsidiaries, resulting in fragmented information systems. Consolidation projects are typically long, costly, and rarely yield the expected results, leaving behind a mix of well-integrated systems and legacy systems that still need to function.
RCDevs addresses these challenges by offering a federated approach to IAM and Identity Provider (IdP) management. The RCDevs solution federates multiple IAM systems, integrating them into a cohesive meta-IAM platform. This top-level meta-IAM provides a unified view of all the underlying IAM systems, allowing seamless integration with cloud or on-premises services like email, VPNs, and OpenID Connect (OIDC). With this approach, there's no need for complex IdP cascading or password management, simplifying the IAM consolidation process.
For example, consider a corporate group, MyCorp, which has acquired two companies—one using Okta and the other using local Active Directory (AD) systems—while MyCorp itself uses Entra ID. RCDevs creates a meta-IAM that aggregates these disparate systems into a unified platform. This enables cross-IAM application access policies, unified UPN naming conventions, and centralized IdP services across the entire organization.
WebADM and External IAM Integration
With the introduction of WebADM version 2.3.20, RCDevs enhanced its platform with native integration capabilities for external IAM providers. This feature allows organizations to synchronize accounts and groups from their cloud IAM providers into WebADM’s LDAP tree. The synchronization is one-way—from the external IAM provider to WebADM—preserving group memberships and allowing external identities to be added to locally defined groups within WebADM.
This functionality is especially beneficial in scenarios like mergers and acquisitions, where multiple IAM systems need to be unified. By synchronizing identities from various sources, WebADM creates a centralized user directory, enabling consistent security policies, seamless IT management, and group-based access control across the entire organization.
The benefits of this approach include simplified identity management, enhanced security and compliance, flexible group management, cost efficiency, scalability, and an improved user experience through a unified access platform.
In summary, RCDevs and WebADM provide powerful tools for overcoming the complexities of managing multiple IAM systems, enabling a cohesive, secure, and scalable identity management infrastructure.
Actions/permissions required on EntraID
To perform operations such as locking a user account, checking or changing an Entra ID user's password, and retrieving user and group information using Entra ID APIs from WebADM, you'll need specific API permissions. These permissions must be granted through a registered application in Entra ID, and the application must have the appropriate permissions described later in this docuementation.
App Registration
From the EntraID portal, access the App Registration
menu.
Click on the New Registration
button to start the registration process. Provide a name to easily identify your application that will be used for WebADM framework purposes.
In this example, I named it WebADM Sync
.
Click on the Register
button, and you will be redirected to the registered application's overview menu.
From the overview menu, you will need the following information for the tenant/application configuration in the WebADM Framework:
- Application (client) ID
- Directory (tenant) ID
Now, navigate to the Certificates & secrets
menu to create a new client secret. This is the last piece of information required by the WebADM Framework.
Click on + New client secret
and define an expiration date. Note that when the client secret expires, it will need to be renewed and reconfigured in WebADM to maintain proper communication. Click on the Add
button to complete the client secret creation.
Once created, copy the client secret value to configure it in the WebADM Framework.
Permissions & Roles
The following section provides information on the permissions that need to be granted to your application for the different features available in the WebADM framework. Navigate to API Permissions
under your registered application.
Synchronize Users and Groups Information
Usecase: Synchronize users and groups from EntraID within the WebADM Framework.
- Type: Application Permission
- Permission Required:
Directory.Read.All
: Read directory data. - Description: Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.
Click on + Add a permission
and select Microsoft Graph
option, then Application permissions
.
In the search bar, type Directory.Read.All
and check the box next to the listed permission. Then click Add Permissions
.
Password verification with EntraID
Use Case: Validate a user's password using Entra ID for authentication that started with OpenOTP and a synced Entra ID account.
- Type: Delegated Permission
- Permission Required:
Directory.AccessAsUser.All
- Description: Allows the app to have the same access to information in the directory as the signed-in user.
Click on + Add a permission
and select Microsoft Graph
option, then Delegated permissions
.
In the search bar, type Directory.AccessAsUser.All
and check the box next to the listed permission. Then click Add Permissions
.
User Account Lockout
Use Case: This permission is essential when using the Account Lockout feature in OpenOTP Badging. It is required if you've implemented an account lockout policy that prevents access when the user is not badged-in. The account will remain locked at the Entra ID level, until the user badges-in with the OpenOTP Token application or from the User Self-Service Desk web application.
- Type: Application Permission
- Permission Required:
User.EnableDisableAccount.All
- Description: This permission allows the application to read and write user profiles without a signed-in user. It is needed to perform operations such as locking a user account by updating the user's properties, like setting the account to disabled.
Click on + Add a permission
and select Microsoft Graph
option, then Application permissions
.
In the search bar, type Enable
and check the box next to the listed permission. Then click Add Permissions
.
Password Reset/Update
Use Case: Passwords for EntraID accounts synced in WebADM can be changed through the WebADM Framework. The system supports applying password policies, leak protections, and weak password detection to EntraID accounts. Resetting a user's password from a third-party application requires admin rights due to the sensitivity and potential impact of this operation. In EntraID, the permissions required to perform these actions generally involve administrative privileges.
These permissions are not granted at the API Permissions
level but rather at the Roles & Admins
level. To assign the necessary permissions, go to the Roles & Admins
section and search for the Password Administrator
role in the search bar.
Click on Password Administrator
role, then click on + Add assignments
.
In the search bar, type the name of the previously created application (in this example, WebADM Sync
). Check the box next to your application, then click the Add
button.
The Password Administrator
role is now assigned.
Apply Permissions
Once your configured the needed permissions, from API permissions
menu click on Grant Admin Consent
.
Click on Yes
.
Permissions are now granted.
EntraID configuration on WebADM
The EntraID configuration on WebADM consists of:
- Creating a Container, Organizational Unit, or Organization object in your LDAP tree where the EntraID tenant will be synced.
- Creating a WebADM
User Domains
and configuring the tenant information of your EntraID tenant.
Container Creation
Let's first create the container where objects will be synced in.
Login on the WebADM Administrator Portal with a super_admin
account, and click on the Create
tab.
In this example, we create an Organization
object named EntraID
inside an existing Organization
object named External Providers
.
Click Proceed
and select the location of the OU. I created it within an organization
object named External Providers
, but you can place it wherever you prefer. Name your object, optionally provide a description, and click Proceed
, followed by Create Object
.
Your Organizational Unit should then be created and visible at the location you specified.
Domain Creation and Configurations
Username/UPN Concepts
The WebADM User Domain creation involves configuring the following key settings:
- The
User Search Base
- The
UPN Mode
and optionally theUPN Suffix
when the UPN Mode is set toExplicit
. - The
Directory Synchronization
settings
When configuring the UPN Mode
, you are determining how the login name value will be synced in the login attribute.
Example for Clarification
Consider the UPN (User Principal Name) of an EntraID account: testaccount@xxxxx.onmicrosoft.com
.
testaccount
is the UPN prefix.xxxxx.onmicrosoft.com
is the UPN suffix.
UPN Mode: Implicit vs Explicit
The UPN Mode
can be set to either Implicit
or Explicit
. Here's how each mode works:
-
Implicit Mode:
In this mode, thetestaccount
value (the UPN prefix) will be stored in the login attribute. With this mode, users can authenticate using two different methods:- By providing
username=testaccount
anddomain=WebADM_Domain_Name
to the OpenOTP APIs. - By constructing a UPN with the
UPN Suffix
configured in the WebADM domain object they belong to and logging in asusername@upn_suffix
.
- By providing
This mode is the most flexible.
The UPN suffix can also be configured to work with the full UPN, even if it's not synced into the uid
attribute.
With Active Directory backend configured with WebADM, you must set UPN Mode
to Implicit
. Explicit
mode can not work, as the UPN prefix is synced into the sAMAccountName
and the full EntraID UPN is synced into the UserPrincipalName
.
- Explicit Mode:
In this mode, the full UPN (testaccount@xxxxx.onmicrosoft.com
) will be stored as the login attribute. In this case, users must use the full UPN as their username to log in. Thetestaccount
value (UPN prefix) alone cannot be used for authentication.
If the directory backend configured with WebADM is Active Directory, and you attempt to sync EntraID accounts into Active Directory, the prefix of the UPN will be synced into the sAMAccountName
attribute, while the entire EntraID UPN will be synced into the UserPrincipalName
attribute.
Now that you fully have the concepts, we can continue by creating the WebADM User Domain
object and configuring the information for EntraID.
Go to the Admin
tab, select User Domains
, and click Add Domain
. Provide a common name to identify the cloud provider, such as EntraID, and optionally add a description. Then, click Proceed
followed by Create Object
.
The domain object will be created, and you will enter the User Domain
configurator. In the first section, configure the User and Group Search Bases
to point to the Organizational Unit (OU) you previously created. In the UPN Suffix
field, enter your EntraID UPN ending with onmicrosoft.com
. This information can be retrieved from your tenant.
Scroll down to the Directory Synchronization
section.
- In the
Provider
setting, selectEntra ID
. - In the
Tenant ID
setting, enter your tenant identifier, which can be retrieved from your Entra ID directory. - In the
Client ID
setting, enter the unique identifier assigned to your registered application within the directory. - In the
Secret Key
setting, enter the private key associated with the application. This key, used together with the client ID, verifies the application's identity. - Choose the
Sync Options
that best suit your preferences for password synchronization, ensuring they align with the permissions granted to the application. - Finish by setting the
Sync Period
. By default, synchronization occurs every hour.
When the configuration is complete, click Apply
to save your settings. You will be redirected to the Registered LDAP Domains
menu, where your Entra ID domain should appear with a Sync Now
button.
Click this button to start the synchronization process.
If any objects cannot be synced for any reason, an error message will appear in the synchronization output. For more details, consult the WebADM Server logs.
Objects that have been successfully synced will appear in the left LDAP tree, as shown in the screenshot below:
That's it. The synced identities and groups can now be used with WebADM, along with its dependencies and integrations.