Overview and Prerequites

RCDevs integrates with Microsoft Entra ID (Azure Active Directory) External Authentication Mehods with Conditional Access (CA) policies to enhance logon security with OpenOTP two-factor authentication through the RCDevs Identity Provider using OpenID-Connect. This integration enables seamless user enrollment via self-service options and supports a variety of authentication methods, including the OpenOTP Token app (with or without Push), Passkeys, FIDO2 Keys, Hardware tokens, Magic Links, and more. Additionally, it leverages the Conditional Access capabilities offered by RCDevs.

Entra ID accounts and groups can be synchronized into the LDAP backend configured with the WebADM Framework if needed. This eliminates the need for manual account and group creation, allowing you to sync and use them across various integrations, such as VPNs, cloud applications, and LDAP/Radius client applications. For setup details, refer to the Entra ID Users and Groups synchronization documentation.

Microsoft Entra ID and Conditional Access enables the creation of policies that assess user access attempts to applications. Access is granted only when specific conditions are met, such as membership in particular user groups, the geolocation of the access device, or the successful completion of multifactor authentication.

For this setup, you need an Entra ID account with Global Administrator privileges to perform the configuration in the Entra ID Administrator portal, as well as an Entra ID P1 or P2 subscription. Additionally, users who will utilize OpenOTP authentication must be properly licensed on Entra ID and on WebADM/OpenOTP.
You also need to access the WebADM Administrator portal as super admin.

This documentation assumes that the following components are already set up and operational:

  • WebADM Framework and OpenOTP service
  • RCDevs Identity Provider with public accessibility (OpenID & SAML Provider version 1.6.7 minimum)

Entra ID configuration

Create an Entreprise Application

Log in to your Entra ID tenant as a Global Administrator. Under the Identity category, expand the Applications menu, then click on Enterprise Applications. Click on + New application to create the enterprise application that will be needed later for your External Authentication Method creation, and name the application at your convenience. In this example, we named it RCDevs MFA. Choose the category type Integrate any other application you don't find in the gallery (Non-gallery) and click on the Create.

Entreprise Application Creation

Your application should be now created, you can customize some properties at you convenience.

Entreprise Application Properties

App Registrations

Navigate now to the App Registrations menu, locate your newly created application, and go to Branding & Properties to customize it similarly to the image below.

Entreprise Registration Branding

Navigate now to the Authentication menu, in the Web Redirect URIs click on Add URI.

Entreprise Registration Authentication

Provide the Identity Provider (IdP) URL. In this example, the URL is https://sso.rcdevsdocs.com/openid/index.php. This example URL is published through RCDevs WAProxy. In infrastructures where WAProxy is not used for IdP page publication, the /webapps/ path must be preserved. For instance: https://sso.rcdevsdocs.com/webapps/openid/index.php.

In the Implicit grand and hybrid flow, select ID Tokens and in Supported account types, select Accounts in this organizational directory only (xxxx only - Single tenant).

In the Advanced settings section, disable the mobile and desktop flows:

Apps Registration - Authentication

Click Save to save your configuration.

Now, click on the Certificates and secrets section to upload your IdP certificate. The certificate can be obtained in the correct format from WebADM Administrator Portal > Applications > Single Sign-On > OpenID & SAML Provider > CONFIGURE. Navigate to the Common Features section and locate the Server Certificate setting. Copy the content and paste it into a file, then save it with a .pem extension.

You can also find the IdP certificate through the SAML or OpenID discovery endpoints.
For OpenID, it is available from the JWKS endpoint of your IdP, though not in PEM/CRT format. The JWKS URL looks like this: https://sso.rcdevs.com/openid/certs.php.

Access your OpenID well-known URL for all informations related to your OpenID IdP:

https://sso.rcdevsdocs.com/.well-known/openid-configuration

{
    "issuer": "https://sso.rcdevsdocs.com",
    "authorization_endpoint": "https://sso.rcdevsdocs.com/openid/index.php",
    "token_endpoint": "https://sso.rcdevsdocs.com/openid/index.php",
    "userinfo_endpoint": "https://sso.rcdevsdocs.com/openid/index.php",
    "jwks_uri": "https://sso.rcdevsdocs.com/openid/certs.php",
    "subject_types_supported": [
        "public",
        "pairwise"
    ],
    "response_types_supported": [
        "code",
        "token",
        "id_token"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "claim_types_supported": [
        "normal"
    ],
    "scopes_supported": [
        "basic",
        "openid",
        "email",
        "phone",
        "profile",
        "groups"
    ],
    "claims_supported": [
        "sub",
        "email",
        "email_verified",
        "phone_number",
        "phone_number_verified",
        "preferred_username",
        "preferred_language",
        "given_name",
        "family_name",
        "name",
        "groups",
        "mfa-policy",
        "amr",
        "acr",
    ]
}

Upload your certificate.

IdP Certificat

Navigate now to the API Permissions section then click on + Add a Permission, select Microsoft Graph, and add the permissions as shown in the screen below:

Apps Registration API Permissions

Once all permissions have been added, click on Grant admin consent and approve the consent.

Add External Authentication Method

Under Protection menu in the left tree, click on Authentication Methods and then click on + Add external method button to create your new EAM.

External Authentication Method
External Authentication Method creation

Provide a Name that will be visible to end-users before they are redirected to your Identity Provider. In this example, I named it "RCDevs Identity Provider," but you can choose any name that is clear and easily recognizable for your users, such as Company_Name Identity Provider or Company_Name MFA.

You will also need to configure a Client ID. This Client ID will be essential in the next section to link it to a WebADM Client Policy that you will create for Entra ID. Here, I've used the value the_client_id_which_will_be_configured_in_the_webadm_client_policy, but you may set it to any value you prefer. A strong value is better.

You now need to configure the Discovery Endpoint setting for your Identity Provider. As previously provided in this documentation, my endpoint is https://sso.rcdevsdocs.com/.well-known/openid-configuration. This endpoint must be accessible to the Entra ID infrastructure to retrieve and parse the necessary endpoints and information it contains.

The last propety App ID must contains the Application ID for the Entreprise application previously created in this documentation.

External Authentication Method creation

Report this value in the App ID setting of your External Authentication Method.

External Authentication Method creation

In the Enable and Target section, switch the Enable radio button to On and select the target group for this External Authentication Method. In this example, I selected my RCDevs MFA Group. Finally, save your configuration.

Your authentication method should now appear in the External section.

External Authentication Method creation

The External Authentication Method configuration is now complete.

Conditional Access Policy creation from Entra ID

We now need to create an Entra ID conditional access policy for the desired application to call our Identity Provider for MFA authentication.

Under Protection menu, navigate to Conditional Access section and create a new policy that will require MFA through your Identity Provider.

In this example, we will configure MFA with the RCDevs IdP for the Office 365 application, targeting the RCDevs MFA Group user group and require MFA authentication in the access control.

Conditional Access Policy menu

Click on + Create new policy. Once in the policy form, configure the desired settings.

Conditional Access Policy
Conditional Access Policy
Conditional Access Policy

Finally, enable the policy by toggling the switch button to On and click the Create button to finish the policy creation.

Conditional Access Policy

The Entra ID configuration is now complete. We will now proceed with the Entra ID configuration in WebADM.

WebADM Configurations

The Entra ID configuration in WebADM mainly involves defining a Client Policy for the Entra ID Service Provider. In this client policy, a WebADM domain will be involved. Please read the next section carefully to understand the configuration options available.

Domain configuration

With Microsoft Entra ID and RCDevs, there are two possible configurations for managing identities used by WebADM/OpenOTP:

  1. Entra ID identities synchronized from an on-premises Active Directory: In this setup, WebADM is configured with your Active Directory, which synchronizes Entra ID identities from the on-premises Active Directory. You don't have to take care about synchronizing identities with WebADM infrastructure as they already exist in your Active Directory used by WebADM.

  2. Entra ID identities not synchronized from an on-premises Active Directory: In this scenario, you have the following options:

    • Synchronize Entra ID accounts and groups into the LDAP backend configured with WebADM: This is the preferred solution, as it avoids duplicating the identity creation process across systems. To set this up, refer to the Entra ID Users and Groups Synchronization in WebADM documentation provided by RCDevs.
    • Create identities and groups directly in the LDAP backend used by WebADM: This option is not recommended because it requires manual maintenance of identities on both the Entra ID and LDAP/WebADM sides. This method can be used for testing purposes.

This section is important because the domain configuration and allowed domain in your WebADM policy for Entra ID will depend on the setup you are using.

The WebADM domain object involved in authentication must be correctly configured, especially in the second scenario where identities are synced from Entra ID. If the WebADM domain is not configured correctly, WebADM will not be able to perform accurate mapping with local identities.

Conditionnal Access creation from WebADM (Client Policy)

We are now going to create a WebADM Client Policy for EntraID.
Login on WebADM Administrator Portal, then click on Admin tab and click on Client Policies box.

Entra ID Policy

Click the Add Client button, name your Client Policy, and optionally provide a description for this policy object.

Client Policy for Entra ID

Click on Proceed and on the next screen Create object

Client Policy for Entra ID

You are now entering the policy configurator.
Select the domain from which Entra ID identities should be chosen (either the Entra ID Synced domain or Active Directory). In this documentation, we are using the WebADM domain targeting the Active Directory infrastructure.

In the Client Name Aliases setting, configure the Client ID you defined during the External Authentication Method creation. Here the_client_id_which_will_be_configured_in_the_webadm_client_policy:

Client Policy for Entra ID

Scroll down to the Default Application Settings category, check the Enforce Setting checkbox, and click Edit.

Client Policy for Entra ID

There are multiple applications to configure in this Client policy:

  • MFA Authentication Server (OpenOTP);
  • OpenID & SAML Provider (RCDev IdP) to configure settings specifically related to the Entra ID Service Provider.

Let's start with OpenOTP. In this example, I will configure the Login Mode to MFA. I will omit the LDAP password validation from this integration because the user password is already validated by Entra ID before being redirected to the Identity Provider.

Client Policy for Entra ID

MFA includes both OTP and FIDO authentication simultaneously. You can also choose either the OTP or U2F method for OTP or FIDO authentication. The login strength performed for a user is returned to Entra ID in the amr claim. RCDevs returns three types of amr claims that are supported by Entra ID:

  • otp: One time password. This includes software/harware - HOTP/TOTP tokens, Push login with OpenOTP Token application, Yubikeys, OTP delivered by SMS/Mail, MagicLinks, OTP list.
  • fido: FIDO2 was used. A FIDO device has been used during the authentication with harware key, PassKeys...
  • vbm: Biometric with voiceprint. An OpenOTP VOICE biometric login has been performed.

Navigate now to OpenID & SAML Provider application, enable the Password-Less mode setting and select the Name Identifier to EntraID.

Client Policy for Entra ID

Scroll down to the OpenID Service section and set the Subject Type to Public.

Optionally, configure the scoped settings. The client secret is not configured here, as client verification is done by verifying signatures.

Configure the Client Key URL used for your tenant. The format from Microsoft is as follows:

https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys

Replace {tenant} with your Entra ID tenant ID. For the tenant used in this documentation, the URL will look like this:

https://login.microsoftonline.com/a31e6f41-c1d0-4a2d-b4e5-2e9e3a5affa2/discovery/v2.0/keys
Client Policy for Entra ID

Your configuration is done. Click Apply on the 2 next screens to save you Entra ID Client Policy.

Authentication attempt

It's now time to test the Entra ID external authentication method with OpenOTP through the RCDevs Identity Provider. Open Office 365, go to the sign-in page, and click on Sign-In.

Login Office 365

Provide the username:

Login Office 365

Provide the password:

Login Office 365

If the credentials has been validated successfully, you should see now your External Authentication Method. Click on it to be redirected to your Identity Provider.

RCDevs External Authentication Method

After being redirected to the IdP login page, I am immediately prompted with an OTP challenge. If a FIDO device had been registered to this account, I would be prompted for a FIDO challenge instead.

OTP Challenge on the IdP page

After a successful authentication with your Identity Provider, you will be redirected to the Office 365 landing page.

Office 365 authenticated through OpenOTP