Microsoft Entra ID (SAML2.0) - CWP

This guide provides configuration instructions for integrating Microsoft Entra ID with Genian NAC, a network access control system, for authentication functionality.

Overview

Through integration with Microsoft Entra ID solution, Genian NAC can perform user authentication via Microsoft Entra ID without the need to manage a separate NAC user database.

For user authentication, the Genian NAC CWP page calls Microsoft Entra ID authentication using the SAML2.0 protocol, Microsoft Entra ID verifies user authentication status, and proper SSO is achieved.

Recommended Versions

Product Name (Component)	Version	Notes
Genian NAC (Policy Server)	V6.0 or higher	Release version after 2022.05
Microsoft Entra ID	SAML2.0	Integratable as of 2025.10

Prerequisites

• Microsoft Entra ID (formerly Azure AD) tenant
• Microsoft Entra ID administrator privileges (Global Administrator or Application Administrator)
• Genian NAC Web Console administrator privileges
• Network connection (communication between Genian NAC ↔ Microsoft Entra ID)

Purpose of Integration

Genian NAC and Microsoft Entra ID integration provides the following benefits:

• No need to manage separate user databases for NAC and Microsoft Entra ID authentication.
• Users can authenticate to NAC using SSO with their Microsoft Entra ID accounts.

Supported Features

Microsoft Entra ID SAML integration supports the following features:

• SP-initiated SSO
• IdP-initiated SSO
• JIT (Just-In-Time) Provisioning
• Single Logout (SLO)
• Signed Requests

For more detailed information about these features, please visit https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso.

Integration Setup Method

The Genian NAC and Microsoft Entra ID configuration method covered in this guide provides only the essential items for integration. It is automatically applied after the initial one-time setup.

Step 1: Create Microsoft Entra ID Enterprise Application

1. Access https://portal.azure.com and log in with your Microsoft account.

2. Navigate to the Microsoft Entra ID service.

3. Click Enterprise applications in the left menu.

4. Click the New application button at the top of the screen.

5. Click the Create your own application button.

6. Enter app creation information.

   • What's the name of your app?: Enter "Genian NAC CWP" (or your preferred name)
   • What are you looking to do with your application?: Select "Integrate any other application you don't find in the gallery (Non-gallery)"
   • Click the Create button.

Step 2: Configure SAML Single Sign-On

1. On the Overview page of the created Enterprise Application, click the Single sign-on menu.

2. Select the SAML method.

3. Click the Edit button in the Basic SAML Configuration section.

4. Enter the following information:

   • Identifier (Entity ID): Enter the CWP Base URL of the NAC Policy Server.

     • ex) https://test.genians.net/cwp2/faces/saml2/saml2Metadata.xhtml

   • Reply URL (Assertion Consumer Service URL): Enter the automatically generated ACS URL for the NAC Policy Server CWP Base URL.

     • You can find this value in the SP ACS URL field on the Genian NAC Web Console > Preferences > User Authentication > Authentication Integration > SAML2 Authentication Integration screen.
     • ex) https://test.genians.net/cwp2/faces/saml2/saml2Acs.xhtml

   • Sign on URL: Enter the CWP Base URL of the NAC Policy Server. (Optional)

     • ex) https://test.genians.net/cwp2

5. Click the Save button.

Step 3: Configure Attributes & Claims

1. Click the Edit button in the Attributes & Claims section.

2. Verify the default Claims provided:

   • Unique User Identifier (Name ID): user.userprincipalname
   • givenname: user.givenname
   • surname: user.surname
   • emailaddress: user.mail
   • name: user.userprincipalname

3. If using JIT provisioning functionality, verify that the above default Claims are configured to be included in the SAML Response.

Note

SAML Attributes (givenname, surname, emailaddress) items are already predefined in Microsoft Entra ID. Additional attributes beyond the predefined ones can be added using the Attributes & Claims menu.

Step 4: Verify SAML Signing Certificate and IdP Information

1. Download the Certificate (Base64) from the SAML Certificate section.

2. Open the downloaded certificate file in a text editor and copy its contents.

3. Verify the following IdP information in the Set up Genian NAC CWP section:

   • Login URL (used as IdP SSO URL)
   • Microsoft Entra Identifier (used as IdP Entity ID)
   • Logout URL (used as IdP SLO URL when using Single Logout)

4. In Genian NAC Web Console > Preferences > User Authentication > Authentication Integration > SAML2 Authentication Integration, copy and enter the following values from Microsoft Entra ID:

   • IdP SSO URL - Microsoft Entra ID's Login URL.
   • IdP Entity ID - Microsoft Entra ID's Microsoft Entra Identifier.
   • x509 Certificate - Copy and paste the contents of the downloaded Certificate (Base64) file.

5. To use JIT provisioning functionality, change JIT provisioning to 'On' in NAC.

   • In NAC UI's JIT provisioning > Additional Information, click the add button to set the user account's name and email.

     • For the Name column, enter the IdP attribute value {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname} {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname}.

     • For the Email column, enter the IdP attribute value http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

       • Microsoft Entra ID does not create a Claim if the Source attribute value is empty. Verify that the Mail, First name, and Last name values in the user profile are filled, or change the Source attribute to an existing attribute.
       • IdP attribute values must specify Claims names. The default is in namespace format (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname).
       • The namespace can be removed to use the value set in Name.

6. To use Single Logout (SLO), turn Single Logout(SLO) setting to 'On' in NAC.

   • You must download NAC's SP X.509 certificate and upload it to Microsoft Entra ID. The SP's certificate is required to use the SLO functionality.
   • Click the Edit button in Verification certificates (optional) of the SAML Signing Certificate section in Microsoft Entra ID.
   • Check Require verification certificates and upload NAC's SP X.509 certificate.
   • In NAC's IdP SLO URL - Copy and paste Microsoft Entra ID's Logout URL.

7. To use Signed Requests, turn Signed Requests setting to 'On'.

   • Download NAC's SP X.509 certificate and upload it to the SAML Signing Certificate section in Microsoft Entra ID. The SP's certificate is required to use the Signed Requests functionality.
   • Click the Edit button in Verification certificates (optional) of the SAML Signing Certificate section in Microsoft Entra ID.
   • Check Require verification certificates and upload NAC's SP X.509 certificate.

8. Enter the text to display on the Microsoft Entra ID authentication button in Login Button Text that will be shown on the Genian NAC CWP authentication screen.

9. Click the Update button at the bottom of the Genian NAC Web Console configuration screen.

Note

Please ensure that the Identifier and Reply URL fields in Basic SAML Configuration are correctly entered. Incorrect values will prevent authentication to NAC via SAML. ex) Identifier: https://test.genians.net/cwp2/faces/saml2/saml2Metadata.xhtml ex) Reply URL: https://test.genians.net/cwp2/faces/saml2/saml2Acs.xhtml

Step 5: Add and Assign Accounts for Microsoft Entra ID Authentication Integration

If users are already registered, skip to step 5

1. Navigate to Groups in the Microsoft Entra ID console menu.

2. Click the New group button at the top of the screen to create a group.

   • Group type: Select "Security"
   • Group name: Enter a group name (e.g., "NAC CWP Users")
   • Group description: Enter group description
   • Members: Select users to add
   • Click the Create button

3. Navigate to Users in the Microsoft Entra ID console menu.

4. Click the New user button at the top of the screen to add a user.

   • Select Create new user
   • User principal name: Enter user account
   • Display name: Enter user name
   • Password: Set initial password
   • Groups: Select the Group created in step 2
   • Click the Create button

Note

The Password option allows you to choose whether the administrator should set the password during creation or require the user to change it on first login.

5. Navigate to Enterprise applications in the Microsoft Entra ID console menu.
6. Click the "Genian NAC CWP" Application registered above.
7. Click Users and groups in the left menu.
8. Click the Add user/group button at the top of the screen.
9. Select Users or Groups to assign accounts or groups to be used for authentication integration through the APP.
10. Click the Assign button to complete the assignment.

Authentication Integration Testing Method

Using Application URL (IdP-initiated SSO)

1. Check the User access URL in the Properties menu of the Enterprise Application.
2. You can log in to NAC CWP through that link.

Testing from Genian NAC Web Console (SP-initiated SSO)

1. Access the Web Console and click the Test button in Preferences > User Authentication > Authentication Integration > Authentication Test.
2. Select SAML2 as the authentication repository in the popup window.
3. A Microsoft Entra ID authentication page will be displayed in a new popup window, enter username and password to authenticate.
4. Complete additional authentication if Multi-Factor Authentication (MFA) is configured.
5. If the message 'Authentication successful.' is displayed, the authentication integration is working properly.

Testing from Genian NAC CWP Page (SP-initiated SSO)

1. Prepare a device (node) that has been assigned the Genian NAC node policy password policy.
2. Access the Genian NAC CWP page.
3. Click the Authenticate button on the CWP page.
4. Click the authentication button configured in Step 4 above on the authentication screen.
5. A Microsoft Entra ID authentication page will be displayed in a new popup window, enter username and password to authenticate.
6. Complete additional authentication if Multi-Factor Authentication (MFA) is configured.

Testing Single Logout (SLO)

1. Configure SLO functionality to be enabled.
2. Authenticate using SSO functionality.
3. Log out using the logout button at the top of the CWP page.
4. If you are prompted to enter your Microsoft Entra ID account information when attempting SAML authentication again, SLO is working properly.

Note

After setting up authentication integration, you must add the Microsoft Entra ID IdP domain to the Enforcement Policy permissions so that the authentication integration window is displayed even in a blocked state.

1. How to add permissions
2. Policy > Objects > Network
3. Select Tasks > Create
4. Enter General
5. Network Address > Select FQDN > Enter IdP domain (e.g. login.microsoftonline.com)
6. Click Create
7. Go to Permissions menu
8. Create permission using the created network object
9. Assign the created permission to the Enforcement Policy that controls device network