Using MFA from the Java SDK
Question
Wednesday, September 14, 2016 8:36 AM
Hi
I'm researching how a 3rd party webapp can be integrated with Azure MFA via the Java SDK. Our customer is going to be using Azure AD Premium with apps like Office365 and Sharepoint and going to be enrolling users once for those apps. I'm assuming that users can be enrolled once and then can use MFA against either of those apps. Generally the users will be using the Android or IOS app for authentication but some may use OATH or a voice call.
So far I've been able to set up an Azure MFA provider on the cloud and then run the example voice authentication successfully i.e. I get a call on my phone and can hit the # key to authenticate and see a GOOD_AUTH in the test client.
Our app uses directory authentication so our primary login will be against the Azure AD prior to running the MFA.
The Java SDK has an AuthModeInfo class which is extended by StandardPinInfo, POS1PinInfo, PlainTextPinInfo, SHA1PinInfo, SmsInfo, PhoneAppInfo. Is it correct to assume that if we populate a PhoneAppInfo with the users directory identifier and use it with pfAuth.authenticate(pfParams), Azure will run an MFA using whatever device is enrolled by the user? I will try this but it would be good to know if I'm on the right lines.
The PhoneAppInfo has a method public void addDeviceToken(String device). I'm not sure what device will be here? Will that be obvious if I register my phone against the MFA Provider?
I guess the bigger question is will our application be able to get all the information needed for the MFA from the Azure AD? Or will we need to capture this information ourselves?
thanks in advance
Ben
All replies (5)
Tuesday, September 20, 2016 11:47 PM âś…Answered
Ben-
I think there's a couple different things here with respect to your question:
- As far as authentication goes, if the customer has Azure AD Premium, and you are authentication via AAD, you should configure the application in AAD to simply require MFA (or a conditional access policy to trigger MFA when you want) rather than trying to re-invent this yourself. In this case, their enrollment for SharePoint, for example, will apply to your app as well (and vice-versa). It's all stored in one place.
As far as the SDK questions, it's been a while since I've worked with this in detail, but from what I recollect, here's what I can tell you:
- You're going to need to supply the details if you call the pfAuth helper yourself. It takes a phone number and the other things you're seeing like the PIN to authenticate with, etc.
- I don't believe you an programmatically register a device for push notifications. With the on-premises MFA Server, you can generate the QR code yourself, but I'm not sure if the QR code shown by Azure AD is something you can generate on your own (e.g. is the data in it static).
Thanks,
Brian
Consulting | Blog | AD Book
Thursday, September 15, 2016 8:07 AM
Hello Ben,
Thank you for posting here!
We are currently researching on your query and will revert to you as soon as we have an update.
In the meantime, you may want to check the following links:
Building Multi-Factor Authentication into Custom Apps (SDK) - Link provides code samples for authentication
Use a mobile app as your contact method with Azure Multi-Factor Authentication - It walks you through setting up Azure Multi-Factor Authentication to use your mobile app as your primary contact method.
Thank you for your patience and co-operation!
Regards,
Ajay
Thursday, September 15, 2016 11:00 AM
Hi Ajay
Thanks for responding. I've worked through those links yesterday. I can see that we could incorporate the standard phone call and phone call with pin into our application. But I'm still not sure that we can incorporate the push to app or the OATH modes without doing a lot of work. These are supported by Azure via the Microsoft Authenticator I'm just not yet able to understand how we can use them via the SDK. The first link mentions that users of the SDK have to manage user enrolment. This is OK when its just a phone number and PIN but becomes more difficult for push or OATH where QR codes must be generated etc.
Thanks
Ben
Thursday, September 15, 2016 3:37 PM
I found this recent comment from Shawn Bishop at http://disq.us/p/1bnc4a4 which I think suggest that the functions (user enrollment, MFA authentication via App push, phone call, OATH) we need are only in the Web Service SDK of the on premises MFA Server.
Would be good if that could be confirmed?
thanks
Ben
Tuesday, September 27, 2016 8:12 PM
The Java SDK only supports phone call and text authentication. You can programmatically use the Web Service SDK with MFA Server if users are imported from on-premises AD, allowing users to enroll via the on-premises User Portal. You can also add users to MFA Server programmatically via the Web Service SDK and use the web service operations to generate the mobile app activation code and display the QR code in your own enrollment process.
However, none of that is needed for apps that are published through Azure AD as Brian mentioned. It's better to just enable users for MFA in Azure AD or configure conditional access policies for your app in Azure AD. For other web apps that aren't published/federated with Azure AD, you can publish them using the Azure AD Application Proxy and enable pre-authentication. Then you still have the option to enable Azure AD users for MFA or to set conditional access policies. That's much simpler than building MFA into your app via an SDK.