/images/resources/tutorials/application/tutorials-microsoft-entra-id.png

How to Use Microsoft Entra ID For Credential Verification

On this page

Overview

It is possible to expose Microsoft Entra ID as a secure LDAP after Microsoft Entra ID Domain Services has been enabled. This article will not cover how to configure Microsoft Entra ID but will address how to configure the Curity Identity Server to leverage the secure LDAP (LDAPS) interface of Microsoft Entra ID as a Data Source and with that used as a Credential Manager for credential verification.

Prerequisites

Configure Curity

Curity can be configured to use LDAP as a Data Source out-of-the-box. With some specific configurations we can allow Curity to connect to a secure LDAP and then use that Data Source in a Credential Manager that will verify a users credentials in the authentication process.

Server Trust Store

Curity needs the Microsoft Entra ID certificate in order to communicate with Microsoft Entra ID and the secure LDAP interface.

If the certificate is not available it can be obtain directly in the Curity Admin UI. Go to FacilitiesKeys and CryptographyTrust Anchors, then add a new Server Trust Store. Select the host option and enter the Microsoft Entra ID secure LDAP host and port, Ex. aaddscontoso.com:636, click Next, give it a name and then click Ok.

Obtain certificate using openssl

Alternatively the certificate can be obtained using openssl. Execute the following from a command prompt:

shell
123
openssl s_client -connect aaddscontoso.com:636 \
-showcerts </dev/null 2>/dev/null | openssl x509 \
-outform PEM > entra_ldap_server.pem

The downloaded certificate can be added using the File option, browse to entra_ldap_server.pem, no password should be needed.

The certificate can also be added using the Text option and is simply a copy and paste of the certificate itself. This is described in the Curity Admin UI.

Data Source

The bulk of the configuration on the Curity Identity Server side in using Microsoft Entra ID for authentication lies in configuring an LDAP Data Source. It is not a complicated configuration but naturally all things need to align with how Microsoft Entra ID, Microsoft Entra ID Domain Services and secure LDAP is configured.

In the Curity Admin UI, go to Facilities, click + next to Data Sources. Give it a name, Entra_AD for example. The below table shows an example configuration for the LDAP Data Source.

ParameterValue
Typeldap
Hostnameaaddscontoso.com
Port636
Client IDCN=John Doe,OU=AADDC Users,DC=aaddscontoso,DC=com
Client SecretPa$$w0rd1!
Default RootOU=AADDC Users,DC=aaddscontoso,DC=com
Search scopesub
Ldapsenabled
Disable Hostname Verificationdisabled
Use Truststoreenabled
Ldap Server Typeactive-directory

Make sure to use the correct host for your environment and that the port used (636 is default) is accessible from the Curity Identity Server.

The Client ID and Secret is needed if anonymous bind is not allowed. Note the format of the Client ID and make sure the user has permissions to bind to the secure LDAP.

Default Root is the base of the LDAP tree where Curity will start its lookup when performing verification of the credentials.

Enable Ldaps

The rest of the configurations can be left as default. Additional configurations could obviously be made as needed but are not covered by this tutorial.

Credential Manager

With a Data Source created we can now create a Credentials Manager for Microsoft Entra ID. Go to Facilities and then add a new Credential Manager.

Give it a name, Entra_CM for example. Set the Algorithm Type to plaintext and the Data Source to the newly created Data Source.

Conclusion

With the Trust Store configured, Data Source and the Credential Manager created we can now leverage Microsoft Entra ID and its secure LDAP interface to check the credentials of a user in the authentication process.

As an example, an HTML Form Authenticator could be used for authentication where it is configured to use the Credential Manager that is configured to use Microsoft Entra ID as the Data Source.

Resources

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial