Appendix G - Creating a SSO and MFA OpenID Connect Integration with Microsoft Entra ID

As of version 8.7.0, Snare Central can be configured to allow login using Microsoft Entra ID (formerly known as Azure Active Directory) account.

This guide will help you how to setup and configure Snare Central to perform SSO and MFA authentication via Microsoft Entra ID.

As a general description, the process to configure Microsoft Entra Id support for Snare Central involves the following steps:

A detailed description on each of the above steps follows.

Microsoft Entra Id allows you to enable Single Sign On (SSO) and Multi Factor Authentication (MFA) using OpenID Connect authentication for your applications. This guide explains how to create a new Application on Azure portal to integrate API connection between Snare Central and Microsoft Entra Id.

Before you begin, you need a verified Microsoft Entra Id account with properly designated role.

Snare Central will use a Microsoft Entra Id flow called Redirect authentication: A user sign-in flow that grants authentication control to Microsoft Entra Id by redirecting to Microsoft Entra Id hosted sign-in page. This flow uses open protocols like OAuth 2.0.

So, the first thing that is needed is to configure your Microsoft Entra Id environment in order to communicate to Snare Central.

• Log in to Azure portal using your Microsoft Entra Id account and navigate to Microsoft Entra ID dashboard.

• To create new Application, on Microsoft Entra ID dashboard, click Manage then App Registrations and you will be redirected to the Registered Apps page, then click New registration.

Open

• From the “New registration” form, input the name of the application and click the Register button.

Open

Newly created application must be configured using these steps:

• Configure the Redirect URI

• Create a Client Secret

• Configure the API permissions

• Click the Add a Redirect URI.

Open

• Then click Add a Platform then select “Web”.

Open

• Go to Snare Central and fetch the Redirect URI. Go to System → Administrative Tools → Configuration Wizard then to Identity and Access Management Setup section and copy URL from the Sign-In Redirect URL.

Open

• Update the “Redirect URIs” field, check the “ID tokens”, then click Configure.

Open

• Go to the Application’s Overview page, then click Add a certificate or secret.

Open

• Click + New client secret, input any desired value for the Description and select the desired target expiration date, then click Add.

Open

• Copy the “Value” field and make sure to backup and save it somewhere because this value will be masked upon page refresh or on the next page visit/s. This secret value is needed later for Snare Central IAM service setup.

Open

• Click the API Permissions, then click Add a permission and click “Microsoft Graph”.

Open

• Select “Delegated permissions”, check permissions: Directory.Read.All, Directory.ReadWrite.All, Group.Read.All and Group.ReadWrite.All then click Add.
  Select “Application permissions” as well, then apply the same set of permissions to it.

Open

• Grant admin consent for the assigned API permissions by clicking the “Grant admin consent for …”.

Open

• These groups are dedicated to Snare Central authentication and access configuration.

• In Microsoft Entra ID dashboard, click Groups, then click New group.

• Add the target group or groups that will have access to Snare Central.

• The name of each group MUST start with the group prefix defined in the IAM section of the Configuration Wizard in the Snare Central server (default is “Snare_Central.”).

• This group name prefix can be configured as well on Snare Central, depending on your desired group name prefix.

Open

• Assign the members to each newly created group by clicking the No members selected.

Open

• Only the Snare Central Administrator and administrators are allowed to add and configure IAM service providers.

• In the Snare Central server, go to the System → Administrative Tools → Configuration Wizard then to Identity and Access Management Setup section and click the Add button.

• On the form, select “Microsoft-Entra-Id” for IAM Providers, then fill up the other input fields using the details below.

  Open

  

  • IAM Domain: “login.microsoftonline.com” is a fixed value for Microsoft Entra Id service provider.

  • Tenant ID and Client ID: Tenant ID and Client ID should be fetched from Microsoft Entra Id dashboard. Go to the application that was created on step “Create a New Application”, look for “Directory (tenant) ID” and copy its value for Tenant ID, while refer to “Application (client) ID” for Client ID.

    Open

    

  • Client Secret: For Client Secret, use the secret value that was generated during step “Configure the created Application” → “Create a Client Secret”.

• Then click Add to the Microsoft Entra Id service provider.

• Select Microsoft Entra Id service provider and click the Retrieve Groups button.

• Make sure that the groups created in the Microsoft Entra ID dashboard contains the correct name prefix, before retrieving them. Please refer to “2. Create and configure Microsoft Entra Id groups” for the proper group creation.

Open

Open

• Select Microsoft Entra Id service provider and click the Enable button.

Open

• Go to the System → Administrative Tools → then to Manage Access Control page and assign access to Reports and other pages of Snare Central as needed for the group or groups retrieved from Microsoft Entra Id.

Open

Open

• Snare Central uses Microsoft Entra Id's Redirect Authentication Model. A user sign-in flow that grants authentication control to Microsoft Entra Id by redirecting the user browser to the Microsoft Entra Id hosted sign-in page. This flow uses open protocols like OAuth 2.0.

• Logout an existing Snare Central session or use a different type of browser then visit the Snare Central server.

• New button “CONTINUE with MICROSOFT-ENTRA-ID” will be present in the login page.

• User will be redirected to the Microsoft Entra Id login page once the button was clicked, where the Microsoft Entra Id credentials will be requested and authenticated.

• Microsoft Entra Id may require Multi-Factor Authentication (MFA) depending on the tenant’s Microsoft Entra Id configuration.

Open

Open

• Upon successful sign-in, Microsoft Entra Id redirects the user back to the Snare Central where group verification is carried out and if correct, the user will be granted access with its group’s authorization level.

Open

This guide will be your resource for resolving common issues and challenges that you may encounter during Microsoft Entra Id IAM service provider configuration.

1. Unable to retrieve groups from Microsoft Entra Id due to the invalid, expired credentials or incorrect API permissions

Error sample and resolution

Error sample:

Open

 

Possible resolution:

• Go to Microsoft Entra ID dashboard, then visit the created Application in this section “Configure the created Application”.

• On Overview page, validate if the Directory (tenant) ID matches with Tenant ID and Application (client) ID with Client ID.

• On the Certificates & secrets page, validate if the Client Secret is not yet expired. Icon “!” denotes that the Client Secret was already expired.

  Open

  

• In case of client secret expiration, you can create a new secret value by clicking New client secret button, just make sure to copy and save the generated secret value.

• On API permissions page, check if the API permissions were properly configured, see this section “Configure the required API permissions” on how to properly configure the needed API permissions.

• Once everything is done, update the Microsoft Entra Id IAM service provider settings (if updates are needed) by clicking the Settings button, then click Retrieve Groups again.

2. Unable to retrieve groups from Microsoft Entra Id due incorrect group name

Error sample and resolution

Error sample:

Open

Possible resolution:

• Go to Microsoft Entra ID dashboard and review the groups, check if there’s at least 1 group with the right prefix on its name, for example in this case the group should have “Snare_Central.” in it, where “Snare_Central.” is based on the configured value for Default Group Prefix field.

• Once the group name was corrected, wait for 5 minutes then click Retrieve Groups again.

3. Unable to login to Microsoft Entra Id due to missing groups in the IAM service provider

Error sample and resolution

Error sample:

Open

 

Possible resolution:

• Using the Administrator account go to Snare Central, then to Configuration Wizard, then to Identity and Access Management Setup.

• Select the Microsoft-Entra-Id provider, then click the Retrieve Groups in order to fetch the groups associated and dedicated for Snare Central’s IAM service authentication.

• Once groups were retrieved, try to login again.

4. Unable to login to Microsoft Entra Id due user’s unauthorized access

Error sample and resolution

Error sample:

Open

 

Possible resolution:

• Go to Microsoft Entra ID dashboard, go to the groups that was dedicated for Snare Central’s IAM service authentication.

• Make sure the users were properly assigned to those groups, see this section “2. Create and configure Microsoft Entra Id groups” on how create groups and assign members to it.

• Once members were assigned, wait for 5 minutes then try to login again.

5. Unable to access Snare Central pages upon successful login

Error sample and resolution

Error sample:

Open

 

Possible resolution:

• Using the Administrator account, assign and grant the necessary page permissions by following this section “6. Grant access rights to Microsoft Entra Id groups”.

• Once permissions were assigned, ask the user/s to refresh their pages and they should be able to access the pages where permissions were assigned.