2FA through azure ad with [entity id and ACS]

Question

2FA through azure ad with [entity id and ACS]

N 1

We want to implement microsoft 2FA in our mvc application. our network team asked 2 things to share.

1-Entity ID

2- ACS URL

How can we implement entity ID and ACS URL in MVC application. Any help will be highly appreciated.

Sandeep G-MSFT 21,151 Reputation points Microsoft Employee Moderator

2023-06-14T04:16:35.64+00:00

@N

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
N 1 Reputation point

2023-06-26T05:55:33.75+00:00

@Sandeep G-MSFT It is not working can you please suggest sample code for asp.net mvc c#,

we are not using core
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-26T13:01:58.4633333+00:00

Hello @N , Entity ID and ACS URL are elements of SAML authentication. Is that the protocol you're trying to use? Or is it OAuth2/OpenIDC? What libraries or packages are you using for authentication?

N 1

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

we have asp.net mvc c# web application.

We are using saml2 authentication azure ad,

app is created in azure we received certificate and .xml file.

we have acs url and entityID.

We are trying to do this with the halp of Sustainsys.Saml2.Mvc  nuget package.

We found this configuration file in website.

<configSections>

    <!-- Add these sections below any existing. -->

    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

    <section name="sustainsys.saml2" type="Sustainsys.Saml2.Configuration.SustainsysSaml2Section, Sustainsys.Saml2"/>

</configSections>

<system.webServer>

    <modules>

        <!-- Add these modules below any existing. The SessionAuthenticatioModule

            must be loaded before the Saml2AuthenticationModule -->

        <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

        <!-- Only add the Saml2AuthenticationModule if you're using the Sustainsys.Saml2.HttpModule

            library. If you are using Sustainsys.Saml2.Mvc you SHOULD NOT load this module.-->

        <add name="Saml2AuthenticationModule" type="Sustainsys.Saml2.HttpModule.Saml2AuthenticationModule, Sustainsys.Saml2.HttpModule"/>

    </modules>

</system.webServer>

<sustainsys.saml2 entityId="http://localhost:17009"

                    returnUrl="http://localhost:17009/SamplePath/"

                    discoveryServiceUrl="http://localhost:52071/DiscoveryService"

                    authenticateRequestSigningBehavior="Always">

    <nameIdPolicy allowCreate="true" format="Persistent"/>

    <metadata cacheDuration="PT42S" validDuration="7.12:00:00" wantAssertionsSigned="true">

        <organization name="Sustainsys AB" displayName="Sustainsys" url="https://www.Sustainsys.com" language="sv" />

        <contactPerson type="Other" email="******@Sustainsys.se" />

        <requestedAttributes>

        <add friendlyName ="Some Name" name="urn:someName" 

nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" />

        <add name="Minimal" />

        </requestedAttributes>

    </metadata>

    <identityProviders>

        <add entityId="https://stubidp.sustainsys.com/Metadata"

            signOnUrl="https://stubidp.sustainsys.com"

            allowUnsolicitedAuthnResponse="true"

            binding="HttpRedirect"

            wantAuthnRequestsSigned="true">

        <signingCertificate storeName="AddressBook" storeLocation="CurrentUser"

                            findValue="Sustainsys.Saml2.StubIdp" x509FindType="FindBySubjectName" />

        </add>

        <add entityId="example-idp"

            metadataLocation="https://idp.example.com/Metadata"

            allowUnsolicitedAuthnResponse="true"

            loadMetadata = "true" />

    </identityProviders>

    <!-- Optional configuration for signed requests. Required for Single Logout. -->

    <serviceCertificates>

        <add fileName="~/App_Data/Sustainsys.Saml2.Tests.pfx" />

    </serviceCertificates>

    <!-- Optional configuration for fetching IDP list from a federation -->

    <federations>

        <add metadataLocation="https://federation.example.com/metadata.xml" allowUnsolicitedAuthnResponse = "false" />

    </federations>

</sustainsys.saml2>

we tried to make modification but it is not working as per expected.

Can you please suggest what exact value we need to replace

2 answers

Your answer

Sandeep G-MSFT 21,151 Reputation points Microsoft Employee Moderator

2023-06-14T04:16:35.64+00:00

@N

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
N 1 Reputation point

2023-06-26T05:55:33.75+00:00

@Sandeep G-MSFT It is not working can you please suggest sample code for asp.net mvc c#,

we are not using core
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-26T13:01:58.4633333+00:00

Hello @N , Entity ID and ACS URL are elements of SAML authentication. Is that the protocol you're trying to use? Or is it OAuth2/OpenIDC? What libraries or packages are you using for authentication?

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Moderator

Hello @N, in order to implement Azure AD authentication with SAML in ASP.NET MVC (.NET Framework) and Sustainsys.Saml2.Mvc you need, as a minimum, to set the following values in your application web.config:

  <sustainsys.saml2 entityId="https://localhost:44302/Saml2" returnUrl="https://localhost:44302/" >
    <identityProviders>
      <add entityId="https://sts.windows.net/22a84c88-253a-4025-a5c4-e0dc365b8d17/" signOnUrl="https://login.microsoftonline.com/22a84c88-253a-4025-a5c4-e0dc365b8d17/saml2" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" >
        <signingCertificate fileName="~/App_Data/sustainsys.cer"/>
      </add>
    </identityProviders>
  </sustainsys.saml2>

Where:

sustainsys.saml2.entityId is your Azure AD enterprise application Identifier (Entity ID)
sustainsys.saml2.returnUrl is where you want sustainsys to redirect after hitting the AssertionConsumerServiceURL
identityProviders/add.0/entityId is your Azure AD enterprise application Azure AD Identifier
identityProviders/add.0/signOnUrl is your Azure AD enterprise application Login URL
identityProviders/add.0/signingCertificate.fileName is the path to your Azure AD enterprise application SAML Certificate (Base64)

In Azure AD you should create an enteprise application with the following information:

Identifier (Entity ID): https://localhost:44302/Saml2
Reply URL (Assertion Consumer Service URL): https://localhost:44302/Saml2/acs

For more information take a look to Single sign-on SAML protocol , <sustainsys.saml2> Element and the following sample: https://github.com/Sustainsys/Saml2/tree/v2/Samples/SampleMvcApplication.

Regarding MFA it's not configured in the application but in Azure AD. Take a look to Turn on multi-factor authentication.

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

N 1

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

This is our details 
EntityID  -  https://localhost:44385/Console
ACS URL  -   https://localhost:44385/
we received one xml file and one certificate from azure app admin team.
metadata location I copied file in drive and giving drive location.
Below changes I made in sustainsys config.
after adding below config nothing is happing. atleast it should redirect to authenticate page. Can you please suggest.
<sustainsys.saml2 entityId="https://localhost:44385/" returnUrl="https://localhost:44385/Console" >
    <identityProviders>
      <add entityId="https://sts.windows.net/edf442f5-b994-4c86-a131-b42b03a16c95/" signOnUrl="https://login.microsoftonline.com/edf442f5-b994-4c86-a131-b42b03a16c95/saml2" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" >
        <signingCertificate fileName="~/App_Data/mycertificate.cer"/>
      </add>
    </identityProviders>
	<federations>
      <add metadataLocation="~/App_Data/mymetadata.xml" allowUnsolicitedAuthnResponse="true"/>
    </federations>
</sustainsys.saml2>

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-28T19:09:33.6966667+00:00
It will redirect to the Azure AuthN UI for routes that have the [Authorize] attribute applied. Eg.

[Authorize] public ActionResult Secure() { var identity = System.Web.HttpContext.Current.User.Identity as ClaimsIdentity; return View(identity.Claims); }
N 1 Reputation point

2023-06-29T06:42:18.14+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

Where we need to add this method?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-29T21:21:13.9033333+00:00
To the methods declared in your controller for the routes that you want to protect. Eg. The following file defines 2 routes: /Home/Index and /Home/Secure. The latter is protected/secured with the aforementioned attribute. Only authenticated users can access. Non-authenticated will get redirected to the Azure AD login UI: https://github.com/Sustainsys/Saml2/blob/v2/Samples/SampleMvcApplication/Controllers/HomeController.cs

using System; using System.Collections.Generic; using System.Linq; using System.Security.Claims; using System.Web; using System.Web.Mvc; namespace SampleMvcApplication.Controllers { public class HomeController : Controller { public ActionResult Index() { return View(); } [Authorize] public ActionResult Secure() { var identity = System.Web.HttpContext.Current.User.Identity as ClaimsIdentity; return View(identity.Claims); } } }

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.
N 1 Reputation point

2023-06-30T08:52:21.0733333+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

I made changes as per suggestions but still it is not prompting for authentication. direct dafault page is opening
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-30T14:57:07.93+00:00

What's the default page route?
N 1 Reputation point

2023-06-30T14:59:59.91+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

index of home controller
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-30T15:03:24.76+00:00

Have you applied the [Authorize] attribute to the /Index route?
N 1 Reputation point

2023-06-30T15:31:16.9233333+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

Untitled.png Web.txt HomeController.txt

I have attach the files after adding authorize attribute I am getting HTTP Error 401.0 - Unauthorized

You do not have permission to view this directory or page.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-30T15:56:00.1966667+00:00

Please share your App_Start\Startup.Auth.cs file. Or better email your project source code, minus PII, to azcommunity@microsoft.com with Subject Attn: Alfredo Revilla.
N 1 Reputation point

2023-06-30T15:58:53.08+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

I do not add anything on App_Start\Startup.Auth.cs file. because Sustainsys
not mentioned
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-30T16:19:19.62+00:00

At this point the best is to inspect your complete source code. Can you send it to the provided email address? Also, your IIS Express logs
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-30T16:21:13.26+00:00

I can also configure a simple working application configured with your SAML settings and publish it in a private repo for you to inspect. In order to give you access I need your github handle.
N 1 Reputation point

2023-06-30T16:26:41.95+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

https://github.com/Raj1121212/2fa
N 1 Reputation point

2023-06-30T17:58:46.0066667+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA r u sending code
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-30T21:13:27.6566667+00:00

I checked the github repo and it does not exist. Let's please continue this offline trough email (azcommunity@microsoft.com with Subject Attn: Alfredo Revilla) to avoid cluttering the thread with too many comments.
N 1 Reputation point

2023-07-01T05:31:03.43+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

I sent mail please check https://github.com/Raj1121212/Testing2fa
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-07-02T06:00:11.6+00:00

Ok let's continue trough email.
N 1 Reputation point

2023-07-03T17:35:11.7033333+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA I am waiting for your reply over mail
N 1 Reputation point

2023-07-03T17:36:09.9833333+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA I am waiting for reply over mail

Answer 2

To implement Microsoft 2FA (Two-Factor Authentication) in your MVC application and provide the entity ID and ACS URL to your network team, you can follow these steps:

Set up Azure Active Directory (Azure AD): a. Create an Azure AD tenant or use an existing one. b. Register your MVC application in Azure AD. This will allow your application to authenticate users and interact with Azure AD for 2FA. c. Configure the required authentication settings in Azure AD, such as enabling 2FA for users.

Retrieve the Entity ID and ACS URL: a. In the Azure portal, go to the Azure AD configuration for your registered application. b. Navigate to the "Endpoints" section and locate the "Federation Metadata Document" URL. This URL contains the entity ID and other federation-related information. c. Share the entity ID and ACS URL from the federation metadata document with your network team.

Implement 2FA in your MVC application: a. Install the appropriate NuGet packages to support Azure AD authentication in your MVC application. One common package is "Microsoft.Owin.Security.OpenIdConnect". b. Configure the authentication middleware in your MVC application's Startup class to use Azure AD as the authentication provider. c. Specify the entity ID and ACS URL in the authentication configuration. You can typically find configuration options in the Startup class, such as app.UseOpenIdConnectAuthentication(). d. Customize the login page and UI to prompt users for 2FA, and handle the response to complete the authentication process.

It's important to note that the exact implementation details may vary depending on your specific application and requirements. You may need to refer to the Azure AD documentation and Azure AD-related resources for detailed guidance.

Additionally, using Microsoft Authenticator as the 2FA method can provide an additional layer of security. You can instruct your users to install the Microsoft Authenticator app on their mobile devices and configure it to work with Azure AD. This will enable them to receive and respond to authentication prompts for the second factor.

N 1 Reputation point

2023-06-22T06:53:27.42+00:00

@vasim tamboli Now how can we implement in asp.net mvc to use this 2 fa.

we got one xml and certificate from app team
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator

2023-06-26T13:11:27.24+00:00

Hello @VasimTamboli and thanks for providing an answer. Althought the use of AI tools to help answer user questions is permitted on Q&A there's requirements that users must follow such as The answer must clearly indicate it was fully or partially provided by an AI service and also, it's must list which service generated the initial response. Please review them and ensure your answer follows the aforementioned.

Share via

2FA through azure ad with [entity id and ACS]

2 answers

Your answer