2FA through azure ad with [entity id and ACS]

N 1 Reputation point
2023-06-02T03:17:13.0066667+00:00

We want to implement microsoft 2FA in our mvc application. our network team asked 2 things to share.

1-Entity ID

2- ACS URL

How can we implement entity ID and ACS URL in MVC application. Any help will be highly appreciated.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,132 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,601 questions
{count} votes

2 answers

Sort by: Most helpful
  1. VasimTamboli 4,785 Reputation points
    2023-06-04T13:25:50.7933333+00:00

    To implement Microsoft 2FA (Two-Factor Authentication) in your MVC application and provide the entity ID and ACS URL to your network team, you can follow these steps:

    Set up Azure Active Directory (Azure AD): a. Create an Azure AD tenant or use an existing one. b. Register your MVC application in Azure AD. This will allow your application to authenticate users and interact with Azure AD for 2FA. c. Configure the required authentication settings in Azure AD, such as enabling 2FA for users.

    Retrieve the Entity ID and ACS URL: a. In the Azure portal, go to the Azure AD configuration for your registered application. b. Navigate to the "Endpoints" section and locate the "Federation Metadata Document" URL. This URL contains the entity ID and other federation-related information. c. Share the entity ID and ACS URL from the federation metadata document with your network team.

    Implement 2FA in your MVC application: a. Install the appropriate NuGet packages to support Azure AD authentication in your MVC application. One common package is "Microsoft.Owin.Security.OpenIdConnect". b. Configure the authentication middleware in your MVC application's Startup class to use Azure AD as the authentication provider. c. Specify the entity ID and ACS URL in the authentication configuration. You can typically find configuration options in the Startup class, such as app.UseOpenIdConnectAuthentication(). d. Customize the login page and UI to prompt users for 2FA, and handle the response to complete the authentication process.

    It's important to note that the exact implementation details may vary depending on your specific application and requirements. You may need to refer to the Azure AD documentation and Azure AD-related resources for detailed guidance.

    Additionally, using Microsoft Authenticator as the 2FA method can provide an additional layer of security. You can instruct your users to install the Microsoft Authenticator app on their mobile devices and configure it to work with Azure AD. This will enable them to receive and respond to authentication prompts for the second factor.


  2. 2023-06-28T04:58:55.4833333+00:00

    Hello @N, in order to implement Azure AD authentication with SAML in ASP.NET MVC (.NET Framework) and Sustainsys.Saml2.Mvc you need, as a minimum, to set the following values in your application web.config:

      <sustainsys.saml2 entityId="https://localhost:44302/Saml2" returnUrl="https://localhost:44302/" >
        <identityProviders>
          <add entityId="https://sts.windows.net/22a84c88-253a-4025-a5c4-e0dc365b8d17/" signOnUrl="https://login.microsoftonline.com/22a84c88-253a-4025-a5c4-e0dc365b8d17/saml2" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" >
            <signingCertificate fileName="~/App_Data/sustainsys.cer"/>
          </add>
        </identityProviders>
      </sustainsys.saml2>
    

    Where:

    • sustainsys.saml2.entityId is your Azure AD enterprise application Identifier (Entity ID)
    • sustainsys.saml2.returnUrl is where you want sustainsys to redirect after hitting the AssertionConsumerServiceURL
    • identityProviders/add.0/entityId is your Azure AD enterprise application Azure AD Identifier
    • identityProviders/add.0/signOnUrl is your Azure AD enterprise application Login URL
    • identityProviders/add.0/signingCertificate.fileName is the path to your Azure AD enterprise application SAML Certificate (Base64)

    In Azure AD you should create an enteprise application with the following information:

    For more information take a look to Single sign-on SAML protocol , <sustainsys.saml2> Element and the following sample: https://github.com/Sustainsys/Saml2/tree/v2/Samples/SampleMvcApplication.

    Regarding MFA it's not configured in the application but in Azure AD. Take a look to Turn on multi-factor authentication.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.