Feide login with AzureAD#
Azure AD is Microsoft’s login solution, and this is used for authentication on services like Office 365, Teams, and Outlook. To access these services, users must sign in with a Microsoft work or school account. With Feide login with Microsoft work or school account, it is easier for the users to log in to those services. The user can use the same account regardless of whether they need to log in to service in Feide or the Microsoft single sign-on ecosystem.
It may be helpful to disable Feide directory authentication if the organization wants all users to sign in with a Microsoft work or school account when login in with Feide. Read more about this here.
Below are the steps to configure Feide login with Azure AD.
1. Same username in Feide and Azure AD#
To be able to authenticate a user in Feide using Azure AD, Feide must connect the user logging in using AzureAD to a Feide user of the organizations Feide directory.
To connect the user, the following Azure AD claims are used:
preferred_username
: The primary username that represents the user. This is normally the Azure AD User Principal Name, but depending on the Azure AD configuration it can also be other attributes.email
: The email address of the user.
See the AzureAD reference documentation for more details about these claims.
Feide will match these claims with the eduPersonPrincipalName
and mail
attributes in the Feide directory.
Either the preferred_username
claim must match the eduPersonPrincipalName
attribute, or the email
claim must match the mail
attribute.
If the user does not have an email address in AzureAD, Feide will additionally try to look for the preferred_username
claim in the mail
attribute.
If Azure AD does not include a domain name in preferred_username
, Feide will add the domain of the organization when looking for the eduPersonPrincipalName
attribute.
2. Add new value in the attribute for a strong authentication method (only for organizations using Strong authentication)#
Organizations can use Azure AD to implement multifactor and strong authentication at level 3 in Feide. This requires the organization to have enabled logging into Feide using Azure AD and requires the organization to have provisioned multifactor authentication in Azure AD adhering to the requirements for level 3 authentication. Once that is configured, you can allow a user to use Azure AD for level 3 authentication by adding the norEduPersonAuthnMethod attribute to the user in your LDAP user directory:
norEduPersonAuthnMethod: urn:mace:feide.no:auth:method:azuread -
This flag indicates that the user has had their identity verified and that the multifactor authentication method has been provisioned to the user securely.
The requirements and guidelines for level 3 authentication with AzureAD are the same as for the other level 3 authentication methods in Feide. All level 3 authentications must satisfy identity proofing and authentication requirements in Rammeverk for autentisering og uavviselighet i elektronisk kommunikasjon med og i offentlig sektor.
Feide will set level 3 on the login if both the LDAP attribute for the account is provided, authentication methods are selected, and the MFA is used for authentication on a Microsoft account for work and education (Azure AD).
For further details see our MFA techincal specs AzureAD
3. Adding the Feide Enterprise application#
The following is one of several ways to grant admin consent for the enterprise application. For more details, please see the AzureAD documentation page.
Adding the Feide Enterprise applications#
In order to add the Feide Enterprise application, insert your tenant-id into the following URL and open it in a browser. Only {tenant-id}
in the URL needs to be changed.
URL:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=48d2c7ce-eea9-40d0-99af-3c6a8657d3c3
You should then be taken to the following page to accept the terms of use:
Verifying that the application is added#
After completing step one, including accepting the terms of use, the application should be visible from the “all applications” page.
Approve access on behalf of the organization#
In the permissions page the administrator should be able to approve access on behalf of the organization. Verify that the admin consent is given by checking the column on the right: “Granted through.” Click the blue “Grant admin consent-” box if it is missing.
After completing these three steps, a Feide-administrator should be able to administrate the remaining setup from the Feide Customer Portal.
4. Enable Azure AD in the customer portal#
Once the Feide Enterprise application is added, the Feide login with Azure AD can be activated in the customer portal. This is done by editing the login methods on the organization tab.
Check off for Azure AD / Microsoft account use and enter the tenant ID for the organization Azure AD.
To save the change, click on Save at the bottom of the page.
It may take up to 10 minutes before the login with a Microsoft account is available as an option in the organization Feide’s login window.