Introduction
From version 6.4 it is possible to configure vSEC:CMS to connect to Azure Active Directory (AAD) which can be used as the user directory when provisioning credentials. Follow the instructions in this article to configure and use AAD with vSEC:CMS.
Configure AAD Connection
The first task will be to configure AAD connection.
It is expected that the person configuring AAD has expertise in using AAD. It will be required that an Owner application is already configured and available from App registrations in AAD.
From Options - Connections click the Add button and select Azure AD.
Enter a template name.
The Authentication URL field will already be configured which normally should not be changed.
In the Directory (tenant) ID field enter your tenant ID which is normally available from the Overview page of your Azure AD web portal.
In the Application (client) ID field enter the ID as available for your Owned application. Additionally, enter the secret for this application into the Client Secret field.
The MS Graph API Url field will already be configured and this normally should not be changed.
Click the Check connection button to ensure connectivity. You should get a success message if the connection details are ok. Then click the Check API URL to ensure connectivity. You should get a success message if the connection details are ok.
Click Save to save and close.
Configure Template
The next step is to configure an actual credential template where we will use the AAD for the user provisioning. In this example we will use a simple example of issuing a credential to a user from AAD with a custom requested certificate for a Microsoft CA (other CAs that vSEC:CMS support can be used). The CSR will need to be customized with variables that map to attributes in your user directory. Please refer to the article Customize Certificate Request Fields to see how this can be done.
From Templates - Card Templates click Add.
Click the Edit link beside General. Enter a template name. Presuming that you are using one of the minidriver credentials that is supported by vSEC:CMS select Minidriver (Generic minidriver card) for Card type. Leave all other settings as default and click Ok to close and save.
Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AAD connection configured earlier in the drop-down list. Click the Manage button.
With the AAD connector selected click the Edit button. Click the Add button. From this dialog you need to create a filter. Provide a name and click Ok.
Click Save and Close.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template you wish to use and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
See the article Customize Certificate Request Fields for details on how to configure Microsoft CA for custom certificate requests and how you can map a variable to the CN attribute for the user from AAD.
Click Ok to save and close the template configuration dialog.
Issue Credential
From the Lifecycle page attach a blank credential to your host. If it is a credential that is supported by vSEC:CMS you should see the reader and the credential similar to below.
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed..
Click the Issued oval and select the credential template from the drop-down list and Execute. During the issuance you will be prompted to select a user from AAD who the credential will be issued to. At the end of the process you will get a short summary of the operations performed. The credential PIN will be blocked so you should set a PIN in order to be able to use the certificate credential.
Comments
0 comments
Please sign in to leave a comment.