Using Microsoft Entra ID as Identity Source
The Identity Management Framework provides the ability to synchronize users and their associated user groups from Microsoft Entra ID to SafeNet Trusted Access (STA) using Identity Management Framework (an open-source identity management and identity governance solution). If you have existing users and groups in Microsoft Entra ID, you can take advantage of Identity Management Framework to synchronize them from Microsoft Entra ID to SafeNet Trusted Access (STA). The solution can connect both using custom Connectors and can create, update, and delete both users and groups.
It is preconfigured with XML files. This eliminates the need for manual configuration of connectors, roles and templates for user synchronization. However, the configuration can always be modified as required.
You should run either SafeNet Synchronization Agent, Microsoft Entra ID Provisioning Service, or Identity Management Framework at a time for synchronization from Microsoft Entra ID to STA.
The image below describes the Identity Management Framework architecture:
Supported Use Cases
Following are the use cases supported by the Microsoft Entra ID Connector while syncing it with STA using Identity Management Framework:
Use Case | Supported? | Notes |
---|---|---|
User Synchronization | Yes | Supports all the Create, Read, Update, and Delete (CRUD) operations. |
Group Synchronization | Yes | Supports all the Create, Read, Update, and Delete (CRUD) operations. |
User Live Synchronization | Yes | Synchronizes changes & new user creation. |
User & Group Filtering | Yes | Synchronizes specific Users & Groups. |
Limitations
Following are the limitations that are encountered while syncing the Microsoft Entra ID Connector with STA using Identity Management Framework:
-
A user group cannot be updated if it is associated with a provisioning rule in STA.
-
STA does not support Nested Group Synchronization.
-
Two user groups with the same name cannot be created even in two different domains.
-
User password sync to STA is not supported.
Prerequisites
You need to setup a certificate, XML files, and connectors that are required to successfully run the Microsoft Entra ID Connector with Identity Management Framework.
Ensure to have an Identity Management Framework instance installed and running on your machine.
As prerequisites,
Configuring your SafeNet Trusted Access (STA) Connector in Identity Management Framework
Configure the SafeNet Trusted Access (STA) Connector in Identity Management Framework by performing the steps mentioned in STA IdM Connector Configuration documentation.
Creating and Configuring a Web/API Application in Azure
Perform the following steps to create and configure a Web/API application in Azure:
-
Create and register a Web/API application in Azure. Refer to the steps mentioned here.
-
Add the following delegated and application permissions in the newly created web application:
-
Directory.Read.All → Delegated permission
-
Directory.REadWrite.All → Delegated permission
-
Group.Create → Application permission
-
Group.Read.All → Delegated permission
-
Group.Read.All → Aplication permission
-
Group.ReadWrite.All → Delegated permission
-
Group.ReadWrite.All → Application permission
-
GroupMember.Read.All → Delegated permission
-
GroupMember.Read.All → Application permission
-
GroupMember.ReadWrite.All → Delegated permission
-
GroupMember.ReadWrite.All → Application permission
-
PrivilegedAccess.Read.AsureADGroup → Delegated permission
-
PrivilegedAccess.Read.AsureADGroup → Application permission
-
PrivilegedAccess.ReadWrite.AsureADGroup → Delegated permission
-
PrivilegedAccess.ReadWrite.AsureADGroup → Application permission
-
User.Read → Delegated permission
-
User.Read.All → Delegated permission
-
User.Read.All → Application permission
-
User.ReadWrite.All → Delegated permission
-
User.ReadWrite.All → Application permission
-
-
Copy the values of following fields and paste them in a text editor:
-
Application (client) ID
-
Client Secret Value
-
Directory (tenant) ID
You will need the fields’ values while configuring the Microsoft Entra ID Connector.
-
Importing the Resource Definition in Identity Management Framework
Resources are objects in Identity Management Framework that represent the applications and systems that are connected to Identity Management Framework. Resource accounts are managed in resource objects.
Perform the following steps to import the Microsoft Entra ID .xml file in Identity Management Framework:
-
From here, download and save the Microsoft_Entra_ID.xml file on your local machine.
-
Login to the Identity Management Framework administrator console as an administrator.
-
On the Identity Management Framework administrator console, in the left pane, under Configuration, click Import object, and in the right pane, perform the following steps:
-
Under Options, select the Keep OID checkbox.
-
Under Get objects from, ensure that the File option is selected.
-
Click Choose File to upload an Microsoft_Entra_ID.xml file.
-
Click Import object.
-
-
In the left pane, under ADMINISTRATION, click Resources > All resources and in the right pane, verify that the newly created resource is added.
Importing Template XML Files in Identity Management Framework
The template XML files enable you to sync users and groups to SafeNet Trusted Access (STA). Perform the following steps to import the template XML files in Identity Management Framework:
-
From here, download the following template XML files and save them on your local machine.
-
RoleTemplate_for_Microsoft Entra ID.xml: Contains the mappings that are used to assign a meta role to the groups imported from Azure.
-
UserTemplate_for_Microsoft Entra ID.xml: Contains the mappings that are used to assign a role (STA user role) to users imported from Microsoft Entra ID.
-
MetaRole_for_STA.xml: Used to create a meta role in Identity Management Framework. The meta role acts as a super role and is used to create a group in STA along with the users’ membership.
-
STA_user_role.xml: Used to create a role in Identity Management Framework. The role is used to create a user(s) in STA automatically.
-
-
Perform the following steps to import the XML files that you downloaded in the previous step:
-
On the Identity Management Framework administrator console, in the left pane, scroll down, and click Import object.
-
Under Import object, in the right pane, under Options, select the Keep OID checkbox.
-
Under Get objects from, ensure that the File option is selected and then click Choose File to upload an XML file.
-
Click Import object.
If you have not added the SafeNet_Trusted_Access.xml file for SafeNet Trusted Access, you may see validation warnings. You can either ignore the warnings or you can get rid of the warnings by importing the SafeNet_Trusted_Access.xml file. Refer to the steps mentioned in the Prerequisites section of the SafeNet Trusted Access IdM Connector Configuration documentation.
-
-
Perform step 2 to upload all the template XML files that you downloaded earlier in step 1.
Configuring Microsoft Entra ID Connector in Identity Management Framework
Configuring Microsoft Entra ID Connector in Identity Management Framework enables user and group synchronization. In Identity Management Framework, perform the following steps to open the wizard that is used to configure a working Microsoft Entra ID Connector in Identity Management Framework:
-
On the Identity Management Framework administrator console, in the left pane, click Resources > All resources.
-
In the right pane, under All resources, select the Microsoft Entra ID resource that you created earlier in Importing the Resource Definition in Identity Management Framework.
Ignore any error or warning. They get resolved automatically once you enter the Client ID, Client Secret Value, and Tenant ID on the Configuration page.
-
On the Microsoft Entra ID resource window, scroll down, and perform the following steps to configure the Microsoft Entra ID Connector:
-
In the left pane, click Basic and in the right pane, perform the following steps to configure the resource:
- In the Name field, modify the name of the connector (for example, Microsoft Entra ID). This is for the identification purpose only.
- [Optional] In the Description field, enter a description of the connector.
-
In the connectorRef field, ensure that the Microsoft Entra ID Connector (ConnId com.evolveum.polygon.connector.msgraphapi.MSGraphConnector V1.1.0.1:ConnectorType) is selected.
-
In the left pane, click Connector configuration, and in the right pane, perform the following steps to modify the fields' values as per your Microsoft Entra configuration:
- In the Client Id field, replace the existing value with the Application (client) ID that you copied in Step 3 of Creating and Configuring a Web/API Application in Microsoft Entra ID.
- In the Client Secret field, click Change, and enter the Client Secret Value that you copied in Step 3 of Creating and Configuring a Web/API Application in Microsoft Entra ID.
- In the Repeat Password field, re-enter the Client Secret Value.
- In the Tenant Id field, replace the existing value with the Directory (tenant) ID that you copied in Step 3 of Creating and Configuring a Web/API Application in Microsoft Entra ID.
-
Click Save.
-
On the All resources window, click on the Microsoft Entra Id connector. On the resource, click Test connection to verify the configuration, and then click OK.
While testing the connection, if you face any error, check your Microsoft Entra resource configuration.
-
In the left pane, click Schema handling. Schema handling contains attribute mapping for both users and groups for synchronization.
The default set values are case sensitive.
You can configure schema handling for:
Accounts
Perform the following steps to view or edit attribute mappings for users:
- Click the Schema handling tile. On the right window, click Account.
-
On the Object type wizard, click Mappings.
-
On the Inbound mappings, the users' attribute mapping is displayed. Ensure that all the values are set.
You can edit an attribute mapping as per your preferred configuration. Refer to the Adding or Modifying an Attribute Mapping section.
-
Click Exit wizard if no changes have been made in mappings. Otherwise, click Save mappings.
-
On the Object type wizard window, click Synchronization.
The synchronization properties (configuration) of a resource object (user or group)specify the information regarding the Identity Management Framework action when a new synchronization event is detected. For example, when an event related to the account creation or deletion is detected, the Identity Management Framework action can be to create a new user, delete or disable existing user, to ignore the event, etc.
-
On the Synchronization window, configuration for the users is displayed. Ensure that all the values are set as shown below, then click Exit wizard.
-
On the Object type wizard, click Back to object types to exit this page and navigate to Schema handling window.
Groups
Perform the following steps to view or edit attribute mappings for groups:
-
Click the Schema handling tile. On the right window, click Group.
-
On the Object type wizard window, click Mappings.
-
On the Inbound mappings, the groups' attribute mapping is displayed. Ensure that all the values are set as shown below.
You can edit an attribute mapping as per your preferred configuration. Refer to the Adding or Modifying an Attribute Mapping section.
-
Click Exit wizard if no changes have been made in mappings. Otherwise click Save mappings.
-
On the Object type wizard window, click Synchronization.
The synchronization properties (configuration) of a resource object (user or group). It specifies the information regarding the Identity Management Framework action when a new synchronization event is detected. For example, when an event related to the account creation or deletion is detected, the Identity Management Framework action can be to create a new user, delete or disable existing user, to ignore the event, etc.
-
On the Synchronization window, configuration for the groups is displayed. Ensure that all the values are set as shown below and then click Exit wizard.
-
On the Object type wizard, click Back to object types to exit to Schema handling window.
-
Filtering Users and Groups for Synchronization
You can filter users and groups to be synchronized to STA. Instead of synchronizing all the default users and groups, there is an option to synchronize specific users and groups from AD to STA. To achieve this, specify the names of the desired groups for synchronization in the GroupList variable. The specified groups will then be synchronized, including the users, which are members of these groups.
Identity Management Framework synchronizes users within nested groups, where users may be members of a group that is part of another group. The synchronization options for groups enable the retention of group membership attributes solely for users. The groups are visible in a flat structure within the Identity Management Framework.
STA is not aware of trust relationships in Microsoft Entra ID and, consequently, remains unaware of the nesting arrangement of groups.
Perform the following steps to configure user and group filtering:
-
On the resource window, in the left pane, click Schema handling tile, and in the right pane, click Account.
-
On the Object type wizard window, click the Synchronization tile.
-
On the Synchronization window, configuration for the users is displayed. Click corresponding to the Linked Situation.
-
Click Next:Action, then click Next: Optional Settings.
-
On the Optional settings window, perform the following steps:
- In the Language field, select Groovy (default).
- In the Code field, copy the code from the Microsoft_Entra_ID_User_Filtering_Script.groovy file available in the package and paste in the field.
-
Click Done to save the settings.
-
Similarly, follow the steps 2 to 5 for rest of the Situation types (Deleted, Unlinked and Unmatched).
Only those group users will be synchronized to STA that are mentioned in the
GroupList
variable. -
Similarly, follow the above steps for groups. The code for groups is available in the Microsoft_Entra_ID_User_Filtering_Script.groovy file.
Adding or Modifying an Attribute Mapping
To optionally add or edit attributes in the Schema handling, perform the following steps:
- On the Mappings window, next to Lifecycle state, click to edit an attribute or to add a new attribute. The Main configuration window is displayed.
-
The Main configuration window is displayed. Perform the following steps:
- In the From resource attribute field, select an attribute.
-
In the Target field, enter the Identity Management Framework attribute name (for example, givenName) that you want to map with the name attribute of STA.
Similarly, you can perform the above steps to add or update mappings for Groups.
Create Tasks
Tasks are created in Identity Management Framework to automatically synchronize users and groups at a specific time. You can create the following tasks in Identity Management Framework:
Import Task
You can create import tasks for the synchronization of,
Creating an Import Task to Synchronize Users
Perform the following steps to create the import task to synchronize users:
-
On the Identity Management Framework administrator console, in the left pane, under ADMINISTRATION, click Server tasks > Import tasks.
-
Under Import tasks, in the right pane, click on the New import task icon to add a new task.
-
On the New Import task window, in the right pane, under Resource objects, perform the following steps:
-
In the Resource field, click Edit, and select your Microsoft Entra ID connector (for example, Microsoft Entra ID: Resource Type).
-
In the Kind field, select Account.
-
In the Intent field, select default.
-
In the Object class field, select AccountObjectClass.
-
-
Under Operations, click Save.
Creating an Import Task to Synchronize Groups
Perform the following steps to create the import task to synchronize groups:
-
Under Import tasks, in the right pane, click on the New import task icon to add a new task.
-
On the New Import task window, in the right pane, under Resource objects, perform the following steps:
-
In the Resource field, click Edit, and select your Microsoft Entra ID connector (for example, Microsoft Entra ID: Resource Type).
-
In the Kind field, select Entitlement.
-
In the Intent field, select group.
-
In the Object class field, select GroupObjectClass.
-
-
Under Operations, click Save.
Live Synchronization Task
A Live synchronization task is created for users. This task processes the events (creation, modification, or deletion) that represent the changes related to the resource objects. It ensures that these events are processed, so that the resource objects’ changes are reflected on Identity Management Framework objects (and extended to other resources, if needed).
Perform the following steps to create the Live Synchronization task for users:
-
On the Identity Management Framework administrator console, in the left pane, under ADMINISTRATION, click Server tasks > Live synchronization tasks.
-
Under Live synchronization tasks, in the right pane, click on the New live synchronization task icon to add a new task.
-
On the New Live synchronization task window, perform the following steps:
-
Under Resource objects, perform the following steps:
-
In the Resource field, click Edit and select your Microsoft Entra ID connector (for example, Microsoft Entra ID: Resource Type).
-
In the Kind field, select Account.
-
In the Intent field, select default.
-
In the Object class field, select AccountObjectClass.
-
-
In the left pane, click Schedule, and in the right pane, in the Interval field, enter the value of the interval in seconds (for example, 1200).
Interval is the time period after which the task will be automatically repeated until all the records are synchronized.
-
Under Operations, click Save.
-
Reconciliation Task
A Reconciliation task is created to compare the data stored in the IGA platform with the data stored in the target systems. Reconciliation tasks are created for:
Creating a Reconciliation Task for Users
Perform the following steps to create a reconciliation task for users:
-
On the Identity Management Framework administrator console, in the left pane, under ADMINISTRATION, click Server tasks > Reconciliation tasks.
-
Under Reconciliation tasks, click on the New reconciliation task icon to add a new task.
-
On the New Reconciliation task window, perform the following steps:
-
In the right pane, under Resource objects, perform the following steps:
- In the Resource field, click Edit and select your Microsoft Entra ID connector (for example, Microsoft Entra ID: Resource Type).
- In the Kind field, select Account.
- In the Intent field, select default.
- In the Object class field, select AccountObjectClass.
-
In the left pane, click Schedule, and in the right pane, in the Interval field, enter the value of interval in seconds (for example, 86400).
Interval is the time period after which the task will be automatically repeated until the data of all the users is reconciled.
-
Under Operations, click Save.
-
Creating a Reconciliation Task for Groups
Perform the following steps to create a reconciliation task for groups:
-
Under Reconciliation tasks, click on the New reconciliation task icon to add a new task.
-
On the New Reconciliation task window, perform the following steps:
-
In the right pane, under Resource objects, perform the following steps:
- In the Resource field, click Edit and select your Microsoft Entra ID connector (for example, Microsoft Entra ID: Resource Type).
- In the Kind field, select Entitlement.
- In the Intent field, select group.
- In the Object class field, select GroupObjectClass.
-
In the left pane, click Schedule, and in the right pane, in the Interval field, enter the value of interval in seconds (for example, 86400).
Interval is the time period after which the task will be automatically repeated until the data of all the groups is reconciled.
-
Under Operations, click Save.
-
Running the Solution
You need to perform certain steps to run the tasks created earlier for synchronization of users and groups to STA.
NOTE: Duplicate users and groups cannot be synced to STA using Identity Management Framework.
Running the Import Task for Groups
Perform the following steps to run the import task to synchronize groups:
-
On the Identity Management Framework administrator console, in the left pane, under ADMINISTRATION, click Server tasks > Import tasks.
-
Under Import tasks, in the right pane, in the Name column, click on the Import task: Microsoft Entra ID: Group task for groups that you created earlier under Create Tasks.
-
On the Import task window, click Save & Run to run the task.
Running the Import Task for Users
Perform the following steps to run the import task to synchronize users:
-
On the Identity Management Framework administrator console, in the left pane, under ADMINISTRATION, click Server tasks > Import tasks.
-
Under Import tasks, in the right pane, in the Name column, click on the Import task: Microsoft Entra ID Connector: Account task for users that you created earlier under Create Tasks.
-
On the Import task window, click Save & Run to run the task.
Similarly, you need to run all other tasks like Live Synchronization Task and Reconciliation Task by following the above-mentioned steps for groups and users. You must always run Group task before the User task.
Live Synchronization for groups is not supported.
Verifying Users and groups in STA
Perform the following steps to verify if the users and groups are successfully synced to STA.
Verifying Users in STA
Perform the following steps to verify if the users are successfully synced to STA:
-
On the STA Management console, go to the Assignment tab.
-
In the Search User module, you can search for a list of users that are pushed from Microsoft Entra ID to STA. Alternatively, you can search for individual users to verify if the user is synchronized to STA.
Verifying Groups in STA
Perform the following steps to verify if the groups are successfully synced to STA:
-
On the STA Management console, go to the Groups tab.
-
Under Group Maintenance, select the Synchronized option. All the Microsoft Entra ID groups that are synchronized to STA should be displayed.
Appendix - Microsoft Entra ID Delegated Password Authentication for STA Users
You can authenticate users that you synchronized from Microsoft Entra ID to SafeNet Trusted Access (STA), without synchronizing there password to ${sta _short}.
STA allows you to delegate password validation to a third-party password repository, such as Microsoft Entra ID. With delegation, no password synchronization is needed. Users can be synchronized or non-synchronized. Delegated password validation allows non-synchronized STA user accounts to use a password policy in STA for local accounts as long as the accounts exist in the third-party repository.
Delegated password validation uses the OIDC Resource Owner Password Credentials (ROPC) flow, which allows an application to sign in the user by directly handling their password. The ROPC flow is compatible with any IdP that can handle the flow, such as Microsoft Entra ID.
To configure delegated password validation after all the Microsoft Entra ID users are synchronized to STA, refer to the Configure delegated password validation section on Thalesdocs.