Overview and Prerequites
RCDevs integrates with Microsoft Entra ID (Azure Active Directory) External Authentication Mehods with Conditional Access (CA) policies to enhance logon security with OpenOTP two-factor authentication through the RCDevs Identity Provider using OpenID-Connect. This integration enables seamless user enrollment via self-service options and supports a variety of authentication methods, including the OpenOTP Token app (with or without Push), Passkeys, FIDO2 Keys, Hardware tokens, Magic Links, and more. Additionally, it leverages the Conditional Access capabilities offered by RCDevs.
Entra ID accounts and groups can be synchronized into the LDAP backend configured with the WebADM Framework if needed. This eliminates the need for manual account and group creation, allowing you to sync and use them across various integrations, such as VPNs, cloud applications, and LDAP/Radius client applications. For setup details, refer to the Entra ID Users and Groups synchronization documentation.
Microsoft Entra ID and Conditional Access enables the creation of policies that assess user access attempts to applications. Access is granted only when specific conditions are met, such as membership in particular user groups, the geolocation of the access device, or the successful completion of multifactor authentication.
For this setup, you need an Entra ID account with Global Administrator privileges to perform the configuration in the Entra ID Administrator portal, as well as an Entra ID P1 or P2 subscription. Additionally, users who will utilize OpenOTP authentication must be properly licensed on Entra ID and on WebADM/OpenOTP.
You also need to access the WebADM Administrator portal as super admin.
This documentation assumes that the following components are already set up and operational:
- WebADM Framework and OpenOTP service
- RCDevs Identity Provider with public accessibility (OpenID & SAML Provider version 1.6.7 minimum)
Entra ID configuration
Create an Entreprise Application
Log in to your Entra ID tenant as a Global Administrator
. Under the Identity
category, expand the Applications
menu, then click on Enterprise Applications
. Click on + New application
to create the enterprise application that will be needed later for your External Authentication Method
creation, and name the application at your convenience. In this example, we named it RCDevs MFA
. Choose the category type Integrate any other application you don't find in the gallery (Non-gallery)
and click on the Create
.
Your application should be now created, you can customize some properties at you convenience.
App Registrations
Navigate now to the App Registrations
menu, locate your newly created application, and go to Branding & Properties
to customize it similarly to the image below.
Navigate now to the Authentication
menu, in the Web Redirect URIs
click on Add URI
.
Provide the Identity Provider (IdP) URL. In this example, the URL is https://sso.rcdevsdocs.com/openid/index.php
. This example URL is published through RCDevs WAProxy. In infrastructures where WAProxy is not used for IdP page publication, the /webapps/
path must be preserved. For instance: https://sso.rcdevsdocs.com/webapps/openid/index.php
.
In the Implicit grand and hybrid flow
, select ID Tokens
and in Supported account types
, select Accounts in this organizational directory only (xxxx only - Single tenant).
In the Advanced settings
section, disable the mobile and desktop flows
:
Click Save
to save your configuration.
Now, click on the Certificates and secrets
section to upload your IdP certificate. The certificate can be obtained in the correct format from WebADM Administrator Portal
> Applications
> Single Sign-On
> OpenID & SAML Provider
> CONFIGURE
. Navigate to the Common Features
section and locate the Server Certificate
setting. Copy the content and paste it into a file, then save it with a .pem
extension.
You can also find the IdP certificate through the SAML or OpenID discovery endpoints.
For OpenID, it is available from the JWKS endpoint of your IdP, though not in PEM/CRT format. The JWKS URL looks like this: https://sso.rcdevs.com/openid/certs.php
.
Access your OpenID well-known URL for all informations related to your OpenID IdP:
https://sso.rcdevsdocs.com/.well-known/openid-configuration
{
"issuer": "https://sso.rcdevsdocs.com",
"authorization_endpoint": "https://sso.rcdevsdocs.com/openid/index.php",
"token_endpoint": "https://sso.rcdevsdocs.com/openid/index.php",
"userinfo_endpoint": "https://sso.rcdevsdocs.com/openid/index.php",
"jwks_uri": "https://sso.rcdevsdocs.com/openid/certs.php",
"subject_types_supported": [
"public",
"pairwise"
],
"response_types_supported": [
"code",
"token",
"id_token"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"claim_types_supported": [
"normal"
],
"scopes_supported": [
"basic",
"openid",
"email",
"phone",
"profile",
"groups"
],
"claims_supported": [
"sub",
"email",
"email_verified",
"phone_number",
"phone_number_verified",
"preferred_username",
"preferred_language",
"given_name",
"family_name",
"name",
"groups",
"mfa-policy",
"amr",
"acr",
]
}
Upload your certificate.
Navigate now to the API Permissions
section then click on + Add a Permission
, select Microsoft Graph
, and add the permissions as shown in the screen below:
Once all permissions have been added, click on Grant admin consent
and approve the consent.
Add External Authentication Method
Under Protection
menu in the left tree, click on Authentication Methods
and then click on + Add external method
button to create your new EAM.
Provide a Name
that will be visible to end-users before they are redirected to your Identity Provider. In this example, I named it "RCDevs Identity Provider," but you can choose any name that is clear and easily recognizable for your users, such as Company_Name Identity Provider
or Company_Name MFA
.
You will also need to configure a Client ID
. This Client ID
will be essential in the next section to link it to a WebADM Client Policy that you will create for Entra ID. Here, I've used the value the_client_id_which_will_be_configured_in_the_webadm_client_policy
, but you may set it to any value you prefer. A strong value is better.
You now need to configure the Discovery Endpoint
setting for your Identity Provider. As previously provided in this documentation, my endpoint is https://sso.rcdevsdocs.com/.well-known/openid-configuration
. This endpoint must be accessible to the Entra ID infrastructure to retrieve and parse the necessary endpoints and information it contains.
The last propety App ID
must contains the Application ID
for the Entreprise application previously created in this documentation.
Report this value in the App ID
setting of your External Authentication Method.
In the Enable and Target
section, switch the Enable
radio button to On
and select the target group for this External Authentication Method. In this example, I selected my RCDevs MFA Group
. Finally, save your configuration.
Your authentication method should now appear in the External
section.
The External Authentication Method configuration is now complete.
Conditional Access Policy creation from Entra ID
We now need to create an Entra ID conditional access policy for the desired application to call our Identity Provider for MFA authentication.
Under Protection
menu, navigate to Conditional Access
section and create a new policy that will require MFA through your Identity Provider.
In this example, we will configure MFA with the RCDevs IdP for the Office 365
application, targeting the RCDevs MFA Group
user group and require MFA authentication
in the access control.
Click on + Create new policy
. Once in the policy form, configure the desired settings.
Finally, enable the policy by toggling the switch button to On
and click the Create
button to finish the policy creation.
The Entra ID configuration is now complete. We will now proceed with the Entra ID configuration in WebADM.
WebADM Configurations
The Entra ID configuration in WebADM mainly involves defining a Client Policy
for the Entra ID Service Provider. In this client policy, a WebADM domain will be involved. Please read the next section carefully to understand the configuration options available.
Domain configuration
With Microsoft Entra ID and RCDevs, there are two possible configurations for managing identities used by WebADM/OpenOTP:
-
Entra ID identities synchronized from an on-premises Active Directory
: In this setup, WebADM is configured with your Active Directory, which synchronizes Entra ID identities from the on-premises Active Directory. You don't have to take care about synchronizing identities with WebADM infrastructure as they already exist in your Active Directory used by WebADM. -
Entra ID identities not synchronized from an on-premises Active Directory
: In this scenario, you have the following options:Synchronize Entra ID accounts and groups into the LDAP backend configured with WebADM
: This is the preferred solution, as it avoids duplicating the identity creation process across systems. To set this up, refer to the Entra ID Users and Groups Synchronization in WebADM documentation provided by RCDevs.Create identities and groups directly in the LDAP backend used by WebADM
: This option is not recommended because it requires manual maintenance of identities on both the Entra ID and LDAP/WebADM sides. This method can be used for testing purposes.
This section is important because the domain configuration and allowed domain in your WebADM policy for Entra ID will depend on the setup you are using.
The WebADM domain object involved in authentication must be correctly configured, especially in the second scenario where identities are synced from Entra ID. If the WebADM domain is not configured correctly, WebADM will not be able to perform accurate mapping with local identities.
Conditionnal Access creation from WebADM (Client Policy)
We are now going to create a WebADM Client Policy for EntraID.
Login on WebADM Administrator Portal, then click on Admin
tab and click on Client Policies
box.
Click the Add Client
button, name your Client Policy, and optionally provide a description
for this policy object.
Click on Proceed
and on the next screen Create object
You are now entering the policy configurator.
Select the domain from which Entra ID identities should be chosen (either the Entra ID Synced domain or Active Directory). In this documentation, we are using the WebADM domain targeting the Active Directory infrastructure.
In the Client Name Aliases
setting, configure the Client ID
you defined during the External Authentication Method creation. Here the_client_id_which_will_be_configured_in_the_webadm_client_policy
:
Scroll down to the Default Application Settings
category, check the Enforce Setting
checkbox, and click Edit
.
There are multiple applications to configure in this Client policy
:
- MFA Authentication Server (OpenOTP);
- OpenID & SAML Provider (RCDev IdP) to configure settings specifically related to the Entra ID Service Provider.
Let's start with OpenOTP. In this example, I will configure the Login Mode
to MFA
. I will omit the LDAP password validation from this integration because the user password is already validated by Entra ID before being redirected to the Identity Provider.
MFA includes both OTP
and FIDO
authentication simultaneously. You can also choose either the OTP
or U2F
method for OTP
or FIDO
authentication. The login strength performed for a user is returned to Entra ID in the amr claim
. RCDevs returns three types of amr claims
that are supported by Entra ID:
- otp: One time password. This includes software/harware - HOTP/TOTP tokens, Push login with OpenOTP Token application, Yubikeys, OTP delivered by SMS/Mail, MagicLinks, OTP list.
- fido: FIDO2 was used. A FIDO device has been used during the authentication with harware key, PassKeys...
- vbm: Biometric with voiceprint. An OpenOTP VOICE biometric login has been performed.
Navigate now to OpenID & SAML Provider
application, enable the Password-Less mode
setting and select the Name Identifier
to EntraID
.
Scroll down to the OpenID Service
section and set the Subject Type
to Public
.
Optionally, configure the scoped settings. The client secret is not configured here, as client verification is done by verifying signatures.
Configure the Client Key
URL used for your tenant. The format from Microsoft is as follows:
https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys
Replace {tenant}
with your Entra ID tenant ID. For the tenant used in this documentation, the URL will look like this:
https://login.microsoftonline.com/a31e6f41-c1d0-4a2d-b4e5-2e9e3a5affa2/discovery/v2.0/keys
Your configuration is done. Click Apply
on the 2 next screens to save you Entra ID Client Policy
.
Authentication attempt
It's now time to test the Entra ID external authentication method with OpenOTP through the RCDevs Identity Provider. Open Office 365, go to the sign-in page, and click on Sign-In.
Provide the username:
Provide the password:
If the credentials has been validated successfully, you should see now your External Authentication Method. Click on it to be redirected to your Identity Provider.
After being redirected to the IdP login page, I am immediately prompted with an OTP challenge. If a FIDO device had been registered to this account, I would be prompted for a FIDO challenge instead.
After a successful authentication with your Identity Provider, you will be redirected to the Office 365 landing page.