Skip to main content

BlastShield Documentation

Configure Azure AD as an external identity provider

BlastShield™ is SCIM 2.0 enabled and supports integration with identity providers such as Okta, Azure AD and One Identity.  SCIM support allows user accounts to be automatically created in BlastShield™ when new user accounts are assigned to the SCIM application in the IdP.   User account status and their information are automatically updated in BlastShield™ based on updates in the IdP.   BlastShield supports OIDC (OpenID Connect) to authenticate the SSO of the IdP for the user registration with the Orchestrator.  

Users and user groups will be provisioned by the identity provider and the user authentication can either use the BlastShield™ Mobile Authenticator app or the Identity Provider's SSO credentials, depending on the configuration.

Pre-requisites

  1. Your Orchestrator must have an SSO portal hostname configured for your network. Please contact support@blastwave.com to get one configured.

  2. You must have administrative read/write access to the BlastShield™ Orchestrator and to the Azure AD configuration portal.

Summary

  1. Set up OpenID Authentication.

  2. Configure the SCIM Provisioning.

Set up OpenID Authentication

  1. In the Azure Portal, type in “App registrations” in the top search bar and select the “App registrations” service.

    1-app-registrations.png

  2. Open the BlastShield™ Orchestrator in a new browser tab and from the settings menu on the left, go to the “Identity Provider” settings page.

    1. Click on the Enable External Identity Provider checkbox.

      enable_external_identity_provider.png

    2. In User Authentication Method, choose from one of the following two options:

      1. To use the BlastShield Mobile Authenticator as the authentication method, select the option for BlastShield Authenticator.

        user-authentication-method-blastshield-authenticator.png

      2. To use the IdP's own SSO as the authentication method, select the option for SSO Credentials.

        user-authentication-method-SSO.png

    3. Copy the Redirect URI from the OpenID section to the clipboard.

  3. Go back to the Azure Portal tab, click on "New registration" and enter “BlastShield Authentication” as the name.

  4. Under the Redirect URI section select “Web” from the dropdown menu and paste the redirect URI you copied from the BlastShield Orchestrator.

    4-redirect-uri.png

  5. Click on “Endpoints” in the action bar and copy the “OpenID Connect metadata document” URL into the clipboard.

  6. Paste the URL into the BlastShield Orchestrator as the “Domain”.  Remove the extra “https://” from the beginning of the URL and remove "/.well-known/openid-configuration" from the end.

  7. Under the “Essentials” section copy the “Application (client) ID” value and paste it into the “Client ID” field in the BlastShield Orchestrator tab.

  8. Click the “Add a certificate or secret” link next to “Client credentials”.

  9. Select “New client secret”, then click on Add in the newly opened right hand popup.

    9-new-client-secret.png

  10. Copy the client secret value to the clipboard and paste it into the BlastShield Orchestrator as the Client Secret.

  11. From the left-hand menu select “Expose an API”, click on “Add a scope” and enter “api://BlastShield” as the “Application ID URI”. Select “Save and Continue

    1. As the “Scope Name” enter “Register”.

    2. Select “Admins and users” for “Who can consent?”.

    3. Enter “BlastShield Authenticator Registration” for “Admin consent display name”, “Admin consent description”, “User consent display name” and “User consent description”.

    4. Click on “Add scope”.

  12. From the left-hand menu select “API permissions” and click on “Add a permission”. Select “My APIs” and click on “BlastShield Authentication”. Check the “Register” permissions checkbox and click on “Add permissions”.

    12-api-permissions.png

  13. In the BlastShield Orchestrator, enter “api://BlastShield/Register” as a “Custom Scope”.

  14. In the left-hand navigation select “Manifest” and in the JSON, set “accessTokenAcceptedVersion” to 2 and click on “Save”.

    14-manifest.png

  15. Type “Enterprise applications” in the top search bar and select the “Enterprise applications” service.

  16. Select “BlastShield Authentication” and click on the “Users and groups” link in the navigation menu. Assign the application to the appropriate set of users and groups.

Configure the SCIM Provisioning

  1. In the Azure Portal, type “Enterprise applications” in the top search bar and select the “Enterprise applications” service.

  2. Click on “New application” and then select “Create your own application”.

  3. Enter “BlastShield” as the name of your app and select “Integrate any other application you don't find in the gallery (Non-gallery)” and click “Create”.

    3-browse-azure-AD-gallery.png

  4. Select “Users and groups” in the left-hand menu and assign the appropriate set of users and groups. The same set of users that was assigned to the “BlastShield Authentication” application should be used.

  5. Select “Provisioning” in the left-hand menu and click on “Get Started”. Select “Automatic” as the “Provisioning Mode”.

  6. From the BlastShield™ Orchestrator copy the “SCIM Endpoint” URL and paste it into the “Tenant URL” field in Azure.

  7. In the BlastShield™ Orchestrator click on “Generate Token” next to the SCIM Endpoint URL and copy the token to the clipboard. Paste the token into the Azure “Secret Token” field.

  8. Click “Save Changes” in the BlastShield™ Orchestrator and then on “Test Connection” in Azure to make sure the connection is working.

  9. Select “Save”.

  10. Click on “BlastShield|Provisioning” in the top menu and select “Start Provisioning”.

    10-BlastShield_Provisioning.png

  11. You can optionally select “Provision on demand” and select a user or group for quicker provisioning to test the setup.

  12. If you are using the BlastShield Mobile Authenticator app as the user authentication method you will find the BlastShield™ User Registration portal will now be available at the URL displayed in the BlastShield™ Orchestrator under REGISTRATION PORTAL > Registration URL. It will be of the format https://<your-domain>.blastshield.app

Note

When this configuration is completed, users and groups which are assigned to the BlastShield™ application in Azure will be automatically provisioned into the BlastShield™ Orchestrator, and will be available to use in BlastShield™ policies. It is not possible to modify the provisioned groups from the Orchestrator, but you can add a provisioned user to Blastshield™ created groups. The choice of SSO credentials or BlastShield Mobile Authenticator for user authentication is a global setting.

How to connect

  1. If you are using the BlastShield Mobile Authenticator app as the user authentication method, you must first register a new user as explained here: Register a new user created by an external identity provider - Mobile Authenticator app. If you are using your SSO credentials for user authentication, you can skip this step.

    Note: This is a one-time process. It is only required again if you want to reset the user authentication.

  2. To connect to BlastShield™, use one of the following methods, depending on how you authenticate:

    1. If you are using the Mobile Authenticator app for user authentication, connect using this method: Connect to BlastShield™ using the Desktop Client

    2. If you are using your SSO credentials for user authentication, connect using this method: Remote User Access using an SSO credentials for user authentication

In this section: