Create a Microsoft OpenID Connect External Identity

The following article is designed to create a Microsoft OpenID Connect External Identity on MyID MFA version 5.0 deployments.

Navigate to the Azure portal - App registrations page and create or sign into a Microsoft account:

If you don't have a Microsoft account, select Create one. After signing in, you are redirected to the App registrations page:
Picture1.png

  • Select New registration
  • Picture26.png
  • Enter a Name.
  • Select an option for Supported account types.
    • The MicrosoftAccount package supports App Registrations created using "Accounts in any organizational directory" or "Accounts in any organizational directory and Microsoft accounts" options by default.
  • Under Redirect URI, select Web, enter your development URL with idp/signin-microsoft appended. For example, https://primary.myidmfa.com:14443/idp/signin-microsoft. Note: It is essential to add the idp/signin-microsoft suffix to the URI to enable the external identity to work correctly.
  • Picture27.png
  • Select Register

Create client secret

  • In the left pane, select Certificates & secrets.
  • Picture28.png
  • Under Certificates & secrets, select New client secret
  • Picture29.png 
    • Add a description and select an expiry value for the client secret.
    • Picture30.png  
    • Select the Add button to create the new client secret.
  • Under Certificates & secrets, copy the value of the client secret.
    Note: Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page. 
    Invalid credentials entered will result in a Error 500 - Server error response.

  

Client ID

  • In the left pane, select Overview.
  • Under Essentials, copy the value of your Application (client) ID. This ID will be used in Application ID field referenced within the wizard below.
  • Picture31.png
  • Save the Application (client) ID and Client Secret for use when adding the provider configuration to MyID MFA. 
    NOTE: Ensure that you select the Microsoft Client Secret Value and NOT the secret ID.

 

Adding the provider to MyID MFA v5

  • Open the MyID Management Console and in either the Actions Panel on the right click Add External Identity or in the left pane, right click External Identities and select Add External Identity.
  • The Add OpenID Connect External Identity Wizard launches.
    • Click next to continue.
    • Provide a name.
    • Select a provider type.
    • Picture33.png
    • Click Next.
    • Select a suitable value for OpenID Connect Claim such as emailaddress.
    • Select a suitable User AD attribute to map to such as wWWHomePage.
    • Picture34.png
    • Click Next.
    • Enter the Application (Client) ID and Client Secret.
      NOTE: ensure that you select the encrypted Secret ID.
    • Picture35.png
    • Click Next.
    • Picture36.png
    • Click Next to apply the configuration.
    • The wizard completes and adds the new External Identity Provider
    • Picture37.png
    • Click Finish to close the wizard.

 

Enabling the External Identity in MyID MFA v5

  • Open the MyID Management Console and in Applications right click on a suitable application and select properties. Ensure under External Identities linked with this application the newly created provider is checked.
  • Click Apply to save changes.
  • Picture38.png
  • Ensure user(s) have the configured AD attribute populated with a suitable email address value to allow successful logon.
  • Picture39.png
  • The logon option using the configured provider should now be present at the logon screen of the application.
  • Picture40.png

 

Troubleshooting

 Should you receive a 404.15 Error noting that the query string is too long.

 

To resolve this issue, the allowed Query String length can be increased through Internet Information Services (IIS) Manager, Request Filtering- Maximum query string (Bytes) to 4096. 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.