Tutorial: Configure Secure Hybrid Access with Microsoft Entra ID and Datawiza

In this tutorial, learn how to integrate Microsoft Entra ID with Datawiza for hybrid access. Datawiza Access Proxy (DAP) extends Microsoft Entra ID to enable single sign-on (SSO) and provide access controls to protect on-premises and cloud-hosted applications, such as Oracle E-Business Suite, Microsoft IIS, and SAP. With this solution, enterprises can transition from legacy web access managers (WAMs), such as Symantec SiteMinder, NetIQ, Oracle, and IBM, to Microsoft Entra ID without rewriting applications. Enterprises can use Datawiza as a no-code, or low-code, solution to integrate new applications to Microsoft Entra ID. This approach enables enterprises to implement their Zero Trust strategy while saving engineering time and reducing costs.

Learn more: Zero Trust security

Datawiza with Microsoft Entra authentication Architecture

Datawiza integration includes the following components:

  • Microsoft Entra ID - Identity and access management service that helps users sign in and access external and internal resources
  • Datawiza Access Proxy (DAP) - This service transparently passes identity information to applications through HTTP headers
  • Datawiza Cloud Management Console (DCMC) - UI and RESTful APIs for administrators to manage the DAP configuration and access control policies

The following diagram illustrates the authentication architecture with Datawiza in a hybrid environment.

Architecture diagram of the authentication process for user access to an on-premises application.

  1. The user requests access to the on-premises or cloud-hosted application. DAP proxies the request to the application.
  2. DAP checks user authentication state. If there's no session token, or the session token is invalid, DAP sends the user request to Microsoft Entra ID for authentication.
  3. Microsoft Entra ID sends the user request to the endpoint specified during DAP registration in the Microsoft Entra tenant.
  4. DAP evaluates policies and attribute values to be included in HTTP headers forwarded to the application. DAP might call out to the identity provider to retrieve the information to set the header values correctly. DAP sets the header values and sends the request to the application.
  5. The user is authenticated and is granted access.

Prerequisites

To get started, you need:

  • An Azure subscription
  • An Microsoft Entra tenant linked to the Azure subscription
  • Docker and docker-compose are required to run DAP
    • Your applications can run on platforms, such as a virtual machine (VM) or bare metal
  • An on-premises or cloud-hosted application to transition from a legacy identity system to Microsoft Entra ID
    • In this example, DAP is deployed on the same server as the application
    • The application runs on localhost: 3001. DAP proxies traffic to the application via localhost: 9772
    • The traffic to the application reaches DAP, and is proxied to the application

Configure Datawiza Cloud Management Console

  1. Sign in to Datawiza Cloud Management Console (DCMC).

  2. Create an application on DCMC and generate a key pair for the app: PROVISIONING_KEY and PROVISIONING_SECRET.

  3. To create the app and generate the key pair, follow the instructions in Datawiza Cloud Management Console.

  4. Register your application in Microsoft Entra ID with One Click Integration With Microsoft Entra ID.

    Screenshot of the Automatic Generator feature on the Configure IdP dialog.

  5. To use a web application, manually populate form fields: Tenant ID, Client ID, and Client Secret.

    Learn more: To create a web application and obtain values, go to docs.datawiza.com for Microsoft Entra ID documentation.

    Screenshot of the Configure IdP dialog with the Automatic Generator turned off.

  6. Run DAP using either Docker or Kubernetes. The docker image is needed to create a sample header-based application.

services:
   datawiza-access-broker:
   image: registry.gitlab.com/datawiza/access-broker
   container_name: datawiza-access-broker
   restart: always
   ports:
   - "9772:9772"
   environment:
   PROVISIONING_KEY: #############################################
   PROVISIONING_SECRET: ##############################################
   
   header-based-app:
   image: registry.gitlab.com/datawiza/header-based-app
   restart: always
ports:
- "3001:3001"
  1. Sign in to the container registry.
  2. Download the DAP images and the header-based application in this Important Step.
  3. Run the following command: docker-compose -f docker-compose.yml up.
  4. The header-based application has SSO enabled with Microsoft Entra ID.
  5. In a browser, go to http://localhost:9772/.
  6. A Microsoft Entra sign-in page appears.
  7. Pass user attributes to the header-based application. DAP gets user attributes from Microsoft Entra ID and passes attributes to the application via a header or cookie.
  8. To pass user attributes such as email address, first name, and last name to the header-based application, see Pass User Attributes.
  9. To confirm configured user attributes, observe a green check mark next to each attribute.

Screenshot of the home page with host, email, firstname, and lastname attributes.

Test the flow

  1. Go to the application URL.
  2. DAP redirects you to the Microsoft Entra sign-in page.
  3. After authentication, you're redirected to DAP.
  4. DAP evaluates policies, calculates headers, and sends you to the application.
  5. The requested application appears.

Next steps