Appendix - CBA for SAS PCE as Entra ID External Authentication Method (EAM)
Before configuring Certificate-Based Authentication (CBA) to work with Entra ID External Authentication Method (EAM), ensure the following steps are completed:
Configuring Certificate Based Authentication (CBA)
-
Go to the realm configured for Entra ID EAM (SAS PCE).
-
In the left pane, click Authentication, and in the right pane, on the Flows tab, click the SafeNet OTP Flow.
-
Under SafeNet OTP Flow, click Add step.
-
A pop-up window is displayed, search for X509/Validate Username Form, and click Add to save the form.
-
For X509/Validate Username Form, set the Requirement as Alternative, and move it above SafeNet OTP Flow Forms as shown in the screenshot below.
-
For X509/Validate Username Form, click ⚙️.
-
On the X509/Validate Username Form config window, perform the following steps:
-
In the Alias field, enter sc.
-
In the Authenticator Reference field, enter sc.
-
In the User Identity Source field, select the Subject’s Alternative Name otherName (UPN) source. It will extract the user identity from X509 Certificate.
-
In the User mapping method field, select Username or Email.
-
Ensure that the Check certificate validity toggle is turned on.
-
Click Save.
-
Verifying Authentication
As a prerequisite, install the client certificate on the system where the authentication will occur. Under Personal > Certificates, import the .pfx certificate into the Certificate Manager.
Note
Ensure that the Client Certificates contain the UserPrincipalName in the Subject Alternative Name field.
Perform the following steps to test the authentication:
-
Navigate to the application URL that you have configured as a client in your SafeNet Access Exchange Realm. For example, https://portal.office.com.
-
When prompted, select the correct User certificate.
-
Click CONTINUE.
-
Click Yes.
After successful authentication, you will be redirected to office.com.