2FA through azure ad with [entity id and ACS]

N 1

We want to implement microsoft 2FA in our mvc application. our network team asked 2 things to share.

1-Entity ID

2- ACS URL

How can we implement entity ID and ACS URL in MVC application. Any help will be highly appreciated.

Sandeep G-MSFT 14,076 Reputation points Microsoft Employee

2023-06-14T04:16:35.64+00:00

@N

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
N 1 Reputation point

2023-06-26T05:55:33.75+00:00

@Sandeep G-MSFT It is not working can you please suggest sample code for asp.net mvc c#,

we are not using core
Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-26T13:01:58.4633333+00:00

Hello @N , Entity ID and ACS URL are elements of SAML authentication. Is that the protocol you're trying to use? Or is it OAuth2/OpenIDC? What libraries or packages are you using for authentication?

N 1

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM

we have asp.net mvc c# web application.

We are using saml2 authentication azure ad,

app is created in azure we received certificate and .xml file.

we have acs url and entityID.

We are trying to do this with the halp of Sustainsys.Saml2.Mvc  nuget package.

We found this configuration file in website.

<configSections>

    <!-- Add these sections below any existing. -->

    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

    <section name="sustainsys.saml2" type="Sustainsys.Saml2.Configuration.SustainsysSaml2Section, Sustainsys.Saml2"/>

</configSections>

<system.webServer>

    <modules>

        <!-- Add these modules below any existing. The SessionAuthenticatioModule

            must be loaded before the Saml2AuthenticationModule -->

        <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

        <!-- Only add the Saml2AuthenticationModule if you're using the Sustainsys.Saml2.HttpModule

            library. If you are using Sustainsys.Saml2.Mvc you SHOULD NOT load this module.-->

        <add name="Saml2AuthenticationModule" type="Sustainsys.Saml2.HttpModule.Saml2AuthenticationModule, Sustainsys.Saml2.HttpModule"/>

    </modules>

</system.webServer>

<sustainsys.saml2 entityId="http://localhost:17009"

                    returnUrl="http://localhost:17009/SamplePath/"

                    discoveryServiceUrl="http://localhost:52071/DiscoveryService"

                    authenticateRequestSigningBehavior="Always">

    <nameIdPolicy allowCreate="true" format="Persistent"/>

    <metadata cacheDuration="PT42S" validDuration="7.12:00:00" wantAssertionsSigned="true">

        <organization name="Sustainsys AB" displayName="Sustainsys" url="https://www.Sustainsys.com" language="sv" />

        <contactPerson type="Other" email="info@Sustainsys.se" />

        <requestedAttributes>

        <add friendlyName ="Some Name" name="urn:someName" 

nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" />

        <add name="Minimal" />

        </requestedAttributes>

    </metadata>

    <identityProviders>

        <add entityId="https://stubidp.sustainsys.com/Metadata"

            signOnUrl="https://stubidp.sustainsys.com"

            allowUnsolicitedAuthnResponse="true"

            binding="HttpRedirect"

            wantAuthnRequestsSigned="true">

        <signingCertificate storeName="AddressBook" storeLocation="CurrentUser"

                            findValue="Sustainsys.Saml2.StubIdp" x509FindType="FindBySubjectName" />

        </add>

        <add entityId="example-idp"

            metadataLocation="https://idp.example.com/Metadata"

            allowUnsolicitedAuthnResponse="true"

            loadMetadata = "true" />

    </identityProviders>

    <!-- Optional configuration for signed requests. Required for Single Logout. -->

    <serviceCertificates>

        <add fileName="~/App_Data/Sustainsys.Saml2.Tests.pfx" />

    </serviceCertificates>

    <!-- Optional configuration for fetching IDP list from a federation -->

    <federations>

        <add metadataLocation="https://federation.example.com/metadata.xml" allowUnsolicitedAuthnResponse = "false" />

    </federations>

</sustainsys.saml2>

we tried to make modification but it is not working as per expected.

Can you please suggest what exact value we need to replace

2 answers

VasimTamboli 4,410 Reputation points

2023-06-04T13:25:50.7933333+00:00

To implement Microsoft 2FA (Two-Factor Authentication) in your MVC application and provide the entity ID and ACS URL to your network team, you can follow these steps:

Set up Azure Active Directory (Azure AD): a. Create an Azure AD tenant or use an existing one. b. Register your MVC application in Azure AD. This will allow your application to authenticate users and interact with Azure AD for 2FA. c. Configure the required authentication settings in Azure AD, such as enabling 2FA for users.

Retrieve the Entity ID and ACS URL: a. In the Azure portal, go to the Azure AD configuration for your registered application. b. Navigate to the "Endpoints" section and locate the "Federation Metadata Document" URL. This URL contains the entity ID and other federation-related information. c. Share the entity ID and ACS URL from the federation metadata document with your network team.

Implement 2FA in your MVC application: a. Install the appropriate NuGet packages to support Azure AD authentication in your MVC application. One common package is "Microsoft.Owin.Security.OpenIdConnect". b. Configure the authentication middleware in your MVC application's Startup class to use Azure AD as the authentication provider. c. Specify the entity ID and ACS URL in the authentication configuration. You can typically find configuration options in the Startup class, such as app.UseOpenIdConnectAuthentication(). d. Customize the login page and UI to prompt users for 2FA, and handle the response to complete the authentication process.

It's important to note that the exact implementation details may vary depending on your specific application and requirements. You may need to refer to the Azure AD documentation and Azure AD-related resources for detailed guidance.

Additionally, using Microsoft Authenticator as the 2FA method can provide an additional layer of security. You can instruct your users to install the Microsoft Authenticator app on their mobile devices and configure it to work with Azure AD. This will enable them to receive and respond to authentication prompts for the second factor.
Please sign in to rate this answer.
N 1 Reputation point

2023-06-22T06:53:27.42+00:00

@vasim tamboli Now how can we implement in asp.net mvc to use this 2 fa.

we got one xml and certificate from app team

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-26T13:11:27.24+00:00

Hello @VasimTamboli and thanks for providing an answer. Althought the use of AI tools to help answer user questions is permitted on Q&A there's requirements that users must follow such as The answer must clearly indicate it was fully or partially provided by an AI service and also, it's must list which service generated the initial response. Please review them and ensure your answer follows the aforementioned.
Sign in to comment
Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-28T04:58:55.4833333+00:00
Hello @N, in order to implement Azure AD authentication with SAML in ASP.NET MVC (.NET Framework) and Sustainsys.Saml2.Mvc you need, as a minimum, to set the following values in your application web.config:

<sustainsys.saml2 entityId="https://localhost:44302/Saml2" returnUrl="https://localhost:44302/" > <identityProviders> <add entityId="https://sts.windows.net/22a84c88-253a-4025-a5c4-e0dc365b8d17/" signOnUrl="https://login.microsoftonline.com/22a84c88-253a-4025-a5c4-e0dc365b8d17/saml2" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" > <signingCertificate fileName="~/App_Data/sustainsys.cer"/> </add> </identityProviders> </sustainsys.saml2>

Where:

sustainsys.saml2.entityId is your Azure AD enterprise application Identifier (Entity ID)

sustainsys.saml2.returnUrl is where you want sustainsys to redirect after hitting the AssertionConsumerServiceURL

identityProviders/add.0/entityId is your Azure AD enterprise application Azure AD Identifier

identityProviders/add.0/signOnUrl is your Azure AD enterprise application Login URL

identityProviders/add.0/signingCertificate.fileName is the path to your Azure AD enterprise application SAML Certificate (Base64)

In Azure AD you should create an enteprise application with the following information:

Identifier (Entity ID): https://localhost:44302/Saml2

Reply URL (Assertion Consumer Service URL): https://localhost:44302/Saml2/acs

For more information take a look to Single sign-on SAML protocol , <sustainsys.saml2> Element and the following sample: https://github.com/Sustainsys/Saml2/tree/v2/Samples/SampleMvcApplication.

Regarding MFA it's not configured in the application but in Azure AD. Take a look to Turn on multi-factor authentication.

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.
Please sign in to rate this answer.
N 1 Reputation point

2023-06-28T11:07:31.16+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM

This is our details EntityID - https://localhost:44385/Console ACS URL - https://localhost:44385/ we received one xml file and one certificate from azure app admin team. metadata location I copied file in drive and giving drive location. Below changes I made in sustainsys config. after adding below config nothing is happing. atleast it should redirect to authenticate page. Can you please suggest. <sustainsys.saml2 entityId="https://localhost:44385/" returnUrl="https://localhost:44385/Console" > <identityProviders> <add entityId="https://sts.windows.net/edf442f5-b994-4c86-a131-b42b03a16c95/" signOnUrl="https://login.microsoftonline.com/edf442f5-b994-4c86-a131-b42b03a16c95/saml2" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" > <signingCertificate fileName="~/App_Data/mycertificate.cer"/> </add> </identityProviders> <federations> <add metadataLocation="~/App_Data/mymetadata.xml" allowUnsolicitedAuthnResponse="true"/> </federations> </sustainsys.saml2>

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-28T19:09:33.6966667+00:00

It will redirect to the Azure AuthN UI for routes that have the [Authorize] attribute applied. Eg.

[Authorize] public ActionResult Secure() { var identity = System.Web.HttpContext.Current.User.Identity as ClaimsIdentity; return View(identity.Claims); }

N 1 Reputation point

2023-06-29T06:42:18.14+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM

Where we need to add this method?

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-29T21:21:13.9033333+00:00

To the methods declared in your controller for the routes that you want to protect. Eg. The following file defines 2 routes: /Home/Index and /Home/Secure. The latter is protected/secured with the aforementioned attribute. Only authenticated users can access. Non-authenticated will get redirected to the Azure AD login UI: https://github.com/Sustainsys/Saml2/blob/v2/Samples/SampleMvcApplication/Controllers/HomeController.cs

using System; using System.Collections.Generic; using System.Linq; using System.Security.Claims; using System.Web; using System.Web.Mvc; namespace SampleMvcApplication.Controllers { public class HomeController : Controller { public ActionResult Index() { return View(); } [Authorize] public ActionResult Secure() { var identity = System.Web.HttpContext.Current.User.Identity as ClaimsIdentity; return View(identity.Claims); } } }

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

N 1 Reputation point

2023-06-30T08:52:21.0733333+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM

I made changes as per suggestions but still it is not prompting for authentication. direct dafault page is opening

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-30T14:57:07.93+00:00

What's the default page route?

N 1 Reputation point

2023-06-30T14:59:59.91+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM

index of home controller

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-30T15:03:24.76+00:00

Have you applied the [Authorize] attribute to the /Index route?

N 1 Reputation point

2023-06-30T15:31:16.9233333+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM

Untitled.png Web.txt HomeController.txt

I have attach the files after adding authorize attribute I am getting HTTP Error 401.0 - Unauthorized

You do not have permission to view this directory or page.

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-30T15:56:00.1966667+00:00

Please share your App_Start\Startup.Auth.cs file. Or better email your project source code, minus PII, to azcommunity@microsoft.com with Subject Attn: Alfredo Revilla.

N 1 Reputation point

2023-06-30T15:58:53.08+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM

I do not add anything on App_Start\Startup.Auth.cs file. because Sustainsys
not mentioned

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-30T16:19:19.62+00:00

At this point the best is to inspect your complete source code. Can you send it to the provided email address? Also, your IIS Express logs

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-30T16:21:13.26+00:00

I can also configure a simple working application configured with your SAML settings and publish it in a private repo for you to inspect. In order to give you access I need your github handle.

N 1 Reputation point

2023-06-30T16:26:41.95+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM

https://github.com/Raj1121212/2fa

N 1 Reputation point

2023-06-30T17:58:46.0066667+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM r u sending code

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-06-30T21:13:27.6566667+00:00

I checked the github repo and it does not exist. Let's please continue this offline trough email (azcommunity@microsoft.com with Subject Attn: Alfredo Revilla) to avoid cluttering the thread with too many comments.

N 1 Reputation point

2023-07-01T05:31:03.43+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM

I sent mail please check https://github.com/Raj1121212/Testing2fa

Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points

2023-07-02T06:00:11.6+00:00

Ok let's continue trough email.

N 1 Reputation point

2023-07-03T17:35:11.7033333+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM I am waiting for your reply over mail

N 1 Reputation point

2023-07-03T17:36:09.9833333+00:00

@Alfredo Revilla - Senior Freelance SWE, SWA, IAM I am waiting for reply over mail
Sign in to comment