Introduction
From version 6.4 it is possible to configure vSEC:CMS to connect to Entra ID (formerly known as Azure Active Directory) which can be used as the user directory when provisioning credentials. Follow the instructions in this article to configure and use Entra ID with vSEC:CMS.
Configure Entra ID Connection
The first task will be to configure Entra ID connection.
It is expected that the person configuring Entra ID has expertise in using it. It will be required that an Owner application is already configured and available from App registrations in Entra ID.
From Options - Connections click the Add button and select Entra ID.
Enter a template name.
The Authentication URL field will already be configured which normally should not be changed.
In the Directory (tenant) ID field enter your tenant ID which is normally available from the Overview page of your Entra ID web portal.
In the Application (client) ID field enter the ID as available for your Owned application. Additionally, enter the secret for this application into the Client Secret field.
The MS Graph API Url field will already be configured and this normally should not be changed.
Click the Check connection button to ensure connectivity. You should get a success message if the connection details are ok. Then click the Check API URL to ensure connectivity. You should get a success message if the connection details are ok.
Click Save to save and close.
Configure Template
The next step is to configure an actual credential template where we will use the Entra ID for the user provisioning. In this example we will use a simple example of issuing a credential to a user from Entra ID with a custom requested certificate for a Microsoft CA (other CAs that vSEC:CMS support can be used). The CSR will need to be customized with variables that map to attributes in your user directory. Please refer to the article Customize Certificate Request Fields to see how this can be done.
From Templates - Card Templates click Add.
Click the Edit link beside General. Enter a template name. Presuming that you are using one of the minidriver credentials that is supported by vSEC:CMS select Minidriver (Generic minidriver card) for Card type. Leave all other settings as default and click Ok to close and save.
Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the Entra ID connection configured earlier in the drop-down list. Click the Manage button.
With the Entra ID connector selected click the Edit button. Click the Add button. From this dialog you need to create a filter. Provide a name and click Ok.
Click Save and Close.
Additionally, if you have a requirement to issue and manage certificate(s) you can configure this from the Enroll Certificate Options section. Enable Enroll certificate(s) checkbox and click the Add button. Select the certificate template you wish to use and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
You should skip the enrol certificates part if you are only interested in managing FIDO2 credentials. If you are using a Microsoft CA then see the article Customize Certificate Request Fields for details on how to configure Microsoft CA for custom certificate requests and how you can map a variable to the CN attribute for the user from Entra ID.
Click Ok to save and close the template configuration dialog.
Issue Credential
From the Lifecycle page attach a blank credential to your host. If it is a credential that is supported by vSEC:CMS you should see the reader and the credential similar to below.
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed..
Click the Issued oval and select the credential template from the drop-down list and Execute. During the issuance you will be prompted to select a user from Entra ID who the credential will be issued to. At the end of the process you will get a short summary of the operations performed. The credential PIN will be blocked so you should set a PIN in order to be able to use the certificate credential.