How to Use Microsoft Entra ID For Credential Verification

Overview

It is possible to expose Microsoft Entra ID as a secure LDAP after Microsoft Entra ID Domain Services has been enabled. This article will not cover how to configure Microsoft Entra ID but will address how to configure the Curity Identity Server to leverage the secure LDAP (LDAPS) interface of Microsoft Entra ID as a Data Source and with that used as a Credential Manager for credential verification.

Prerequisites

• An installation of the Curity Identity Server. If you do not have an installation of the Curity Identity Server, follow this tutorial installation of the Curity Identity Server and configure the installation by running Curity Basic Setup Wizard as outlined in this tutorial Curity Basic Setup Wizard.

• Microsoft Entra ID needs to be set up with Microsoft Entra Domain Services. With that fully configured it is possible to enable secure LDAP as outlined in the Microsoft documentation.

Configure Curity

Curity can be configured to use LDAP as a Data Source out-of-the-box. With some specific configurations we can allow Curity to connect to a secure LDAP and then use that Data Source in a Credential Manager that will verify a users credentials in the authentication process.

Server Trust Store

Curity needs the Microsoft Entra ID certificate in order to communicate with Microsoft Entra ID and the secure LDAP interface.

If the certificate is not available it can be obtain directly in the Curity Admin UI. Go to Facilities → Keys and Cryptography → Trust Anchors, then add a new Server Trust Store. Select the host option and enter the Microsoft Entra ID secure LDAP host and port, Ex. aaddscontoso.com:636, click Next, give it a name and then click Ok.

openssl s_client -connect aaddscontoso.com:636 \
  -showcerts </dev/null 2>/dev/null | openssl x509 \
  -outform PEM > entra_ldap_server.pem

The certificate can also be added using the Text option and is simply a copy and paste of the certificate itself. This is described in the Curity Admin UI.

Data Source

The bulk of the configuration on the Curity Identity Server side in using Microsoft Entra ID for authentication lies in configuring an LDAP Data Source. It is not a complicated configuration but naturally all things need to align with how Microsoft Entra ID, Microsoft Entra ID Domain Services and secure LDAP is configured.

In the Curity Admin UI, go to Facilities, click + next to Data Sources. Give it a name, Entra_AD for example. The below table shows an example configuration for the LDAP Data Source.

Make sure to use the correct host for your environment and that the port used (636 is default) is accessible from the Curity Identity Server.

The Client ID and Secret is needed if anonymous bind is not allowed. Note the format of the Client ID and make sure the user has permissions to bind to the secure LDAP.

Default Root is the base of the LDAP tree where Curity will start its lookup when performing verification of the credentials.

Enable Ldaps

The rest of the configurations can be left as default. Additional configurations could obviously be made as needed but are not covered by this tutorial.

Credential Manager

With a Data Source created we can now create a Credentials Manager for Microsoft Entra ID. Go to Facilities and then add a new Credential Manager.

Give it a name, Entra_CM for example. Set the Algorithm Type to plaintext and the Data Source to the newly created Data Source.

Conclusion

With the Trust Store configured, Data Source and the Credential Manager created we can now leverage Microsoft Entra ID and its secure LDAP interface to check the credentials of a user in the authentication process.

As an example, an HTML Form Authenticator could be used for authentication where it is configured to use the Credential Manager that is configured to use Microsoft Entra ID as the Data Source.

Resources

• Installing the Curity Identity Server
• Details on the Curity Basic Setup Wizard
• Microsoft Entra Domain Services
• Tutorial - Configure LDAPS for Microsoft Entra Domain Services | Microsoft Docs