Skip to main content

Overview

For customers whose domains are not federated with TruU or a third-party identity provider (IDP) such as Okta, Ping, or ForgeRock, special steps are required to achieve a seamless logon experience on Microsoft Windows, or to enable passwordless logon on macOS. If customers are using TOTAL Protect for frontline access (Shared Workstation) or TOTAL Protect Authenticator for Windows with a smart card, they must enable Certificate-based authentication on Entra ID. By enabling this authentication method in Entra ID, organizations can ensure users experience smooth logon processes across both Microsoft Windows and macOS platforms, even without traditional federated identity solutions.
  • Organizations need to have at least one certification authority (CA) in place, which could be part of an on-premises Public Key Infrastructure (PKI) or a cloud-based PKI solution like TruU Cloud PKI
  • Users should possess a client authentication certificate from a trusted PKI that has been configured on the tenant
  • Only users with Global admin or Privileged Authentication Administrator roles have the necessary permissions to configure the CA
  • CA requires an internet-facing URL that is accessible and has a published Certificate Revocation List (CRL)

Configuration of Certificate-Based Authentication:

  1. Sign into the Microsoft Entra portal using a Global Administrator account
  2. Proceed to Microsoft Entra ID, select Security, and then click on Certificate Authorities in the menu
  1. To upload a CA, click Upload:
a. Select the CA file b. Select Yes if the CA is a root certificate, otherwise select No c. Set the http internet-facing URL for the certification authority’s based CRL that contains all revoked certificates. This should be set or authentication with revoked certificates will not fail d. Set Delta CRL URL - the http internet-facing URL for the CRL that contains all revoked certificates since the last base CRL was published e. Click Add
  1. To delete a CA certificate, select the certificate and click Delete
  2. Click Columns to add or delete columns

Configure Authentication Binding Policy

The authentication binding policy helps determine the strength of authentication to either a single factor or multi factor. An admin can change the default value from single-factor to multifactor and configure custom policy rules by mapping to issuer Subject or policy OID fields in the certificate. To enable the certificate-based authentication and configure user bindings in the Entra portal, complete the following steps:
  1. Sign into the Microsoft Entra portal as Authentication Policy Administrator
  2. Select Microsoft Entra ID (Azure Active Directory), then choose Security from the menu on the left-hand side
  3. Click Authentication methods, then Policies
  4. Under Manage, select Authentication methods, then Certificate-based Authentication
  1. Click Configure to set up authentication binding and username binding
  2. The protection level attribute has a default value of Single-factor authentication. Select Multi-factor authentication to change the default value to MFA
  1. You can also set up custom authentication binding rules to help determine the protection level for client certificates. It can be configured using either the issuer Subject or Policy OID fields in the certificate
Note: Authentication binding rules will map the certificate attributes (issuer or Policy OID) to a value, and select default protection level for that rule. Multiple rules can be created
  1. To add custom rules, click on Add Rule
  1. To create a rule by certificate issuer, click Certificate issuer
a. Select a Certificate issuer identifier from the list box b. Click Multi-factor authentication as a protection level c. To create a rule by Policy OID, click Policy OID d. Enter a value for Policy OID e. Click Multi-factor authentication as a protection level
  1. Click Ok to save any custom rule

Configure Username Binding Policy

The username binding policy helps determine the user in the tenant. By default, we map Principal Name in the certificate to onPremisesUserPrincipalName in the user object to determine the user. An admin can override the default and create a custom mapping. Currently, we support two certificate fields, SAN (Subject Alternate Name) Principal Name and SAN RFC822Name, to map against the user object attribute userPrincipalName and onPremisesUserPrincipalName. Use the following steps to configure the username binding policy. NOTE: If a username binding policy uses synced attributes, such as onPremisesUserPrincipalName attribute of the user object, be aware that any user with administrative access to the Entra ID Connect server can change the sync attribute mapping, and in turn change the value of the synced attribute to their needs. The user does not need to be a cloud admin
  1. Create the username binding by selecting one of the X.509 certificate fields to bind with one of the user attributes. The username binding order represents the priority level of the binding. The first one has the highest priority and so on. If the specified X.509 certificate field is found on the certificate, but Microsoft Entra ID doesn’t find a user object using that value, the authentication fails. Microsoft Entra ID doesn’t try the next binding in the list. The next priority is attempted only if the X.509 certificate field is not in the certificate
  2. Click Save to save the changes
NOTE: Currently supported set of username bindings: ● SAN Principal Name > userPrincipalName ● SAN Principal Name > onPremisesUserPrincipalName ● SAN RFC822Name > userPrincipalName ● SAN RFC822Name > onPremisesUserPrincipalName

Enable CBA on the Tenant

  1. Sign in to the Microsoft Entra portal as an Authentication Policy Administrator
  2. Select Microsoft Entra ID, then choose Security from the menu on the left-hand side
  3. Under Manage, select Authentication methods, then Certificate-based Authentication
  4. Then under Enable and Target, select Enable to enable CBA
    1. CBA can be enabled for a targeted set of users
a. Click All users to enable all users b. Click Select users to enable selected users or groups c. Click + Add users, select specific users and groups d. Click Select to add them Once certificate-based authentication is enabled on the tenant, all users in the tenant will see the option to sign in with a certificate. Only users who are enabled for certificate-based authentication will be able to authenticate using the X.509 certificate To test your configuration, it is essential to verify both your certificate and any custom authentication binding rules you may have set up. To begin testing your certificate, attempt to sign into the MyApps portal using the browser on your device. Follow these steps:
  1. Enter your User Principal Name (UPN).
  2. Click Next
  3. Choose the Sign in with a certificate option
  1. Select Use Certificate or Smart card Note: It is worth mentioning that users might encounter a certificate prompt during their first login attempt. This prompt can be managed through a registry key or a group policy which can suppress the certificate selection prompt if so desired
Template Cofiguration for Shared Workstation Third Party Certifcate Authority