Create a Microsoft Azure AD (SAML) realm for active authentication (captive portal)
Create and configure a Microsoft Azure Active Directory (Entra ID) realm to enable secure user authentication, certificate management, and access control for protected network resources.
This topic discusses the high-level tasks of creating a Microsoft Azure Active Directory (AD) realm (now called Entra ID) for use with the Security Cloud Control.
Before you begin
If you enabled Change Management, you must open or edit, assign, and approve a ticket for each of the following objects before you can create the realm:
-
Base URL
-
Service provider certificate enrollment (PKCS12 format)
-
Identity provider certificate enrollment (manual format)
-
The realm itself (create and assign the ticket until realm creation is complete, then approve it)
For more information, see Opening a ticket for configuration changes and Policies and objects that support change management.
Follow these steps to create a Microsoft Azure Active Directory (Entra ID) realm:
Procedure
Step 1 | Create a fully-qualified host name (FQDN) using your DNS server and upload the Firewall Threat Defense's internal certificate to the Security Cloud Control. You can consult a resource such as this one if you've never done it before. Specify the IP address of a routed interface on one of the devices managed by your Security Cloud Control. Consult a DNS server reference. |
Step 2 | Create a network object with an associated internal certificate. |
Step 3 | Get a signed certificate and upload it to the Secure Firewall Threat Defense to which Entra ID authentication requests will be sent. The certificate should be signed by a trusted Certificate Authority (CA) and delivered to you in .p12 format (also referred to as PKCS#12; see also this article on ssl.com). For background, see the section on public key infrastructure in Cisco Secure Firewall Management Center Device Configuration Guide or stackoverflow.com. To upload the signed certificate, see Installing a Certificate Using a PKCS12 File. |
Step 4 | Configure Microsoft Entra ID basic settings. Several configuration tasks are required, including setting up an event hub, giving your application permission to the Microsoft Graph API, and enabling the audit log. |
Step 5 | Create a single sign-on (SSO) app in Entra ID. The SSO app enables users that request access to a protected network resource to authenticate with Entra ID. The SSO app has both the federation XML that you can use to simplify realm creation as well as the identity provider certificate the Secure Firewall Threat Defense requires to security authenticate with Entra ID. |
Step 6 | Get the information required to configure your Microsoft Azure AD (SAML) realm. This information includes client and tenant IDs, client secret, and other information store in Microsoft Entra ID. See Get required information For Your Microsoft Azure AD realm. |
Step 7 | Configure a decryption policy with a Decrypt - Resign rule for the Azure Authentication Service so users can access web pages using the HTTPS protocol. The Microsoft Azure AD (SAML) realm can authenticate users only if the HTTPS traffic is decrypted before the traffic is sent to the realm. The Microsoft Azure AD (SAML) realm itself is seen by the system as the Azure Authentication Service application. |
Step 8 | Do the following: |