Appendix - CBA for SAS PCE as Entra ID External Authentication Method (EAM)

Before configuring Certificate-Based Authentication (CBA) to work with Entra ID External Authentication Method (EAM), ensure the following steps are completed:

• Complete the prerequisites
• Add an Issuing CA to the SafeNet Access Exchange Trust Store

Configuring Certificate Based Authentication (CBA)

1. Go to the realm configured for Entra ID EAM (SAS PCE).

2. In the left pane, click Authentication, and in the right pane, on the Flows tab, click the SafeNet OTP Flow.

   

3. Under SafeNet OTP Flow, click Add step.

4. A pop-up window is displayed, search for X509/Validate Username Form, and click Add to save the form.

5. For X509/Validate Username Form, set the Requirement as Alternative, and move it above SafeNet OTP Flow Forms as shown in the screenshot below.

   

6. For X509/Validate Username Form, click ⚙️.

7. On the X509/Validate Username Form config window, perform the following steps:

   1. In the Alias field, enter sc.

   2. In the Authenticator Reference field, enter sc.

   3. In the User Identity Source field, select the Subject’s Alternative Name otherName (UPN) source. It will extract the user identity from X509 Certificate.

   4. In the User mapping method field, select Username or Email.

   5. Ensure that the Check certificate validity toggle is turned on.

   6. Click Save.

      

Verifying Authentication

As a prerequisite, install the client certificate on the system where the authentication will occur. Under Personal > Certificates, import the .pfx certificate into the Certificate Manager.

Perform the following steps to test the authentication:

1. Navigate to the application URL that you have configured as a client in your SafeNet Access Exchange Realm. For example, https://portal.office.com.

2. When prompted, select the correct User certificate.

   

3. Click CONTINUE.

   

4. Click Yes.

   

   After successful authentication, you will be redirected to office.com.