27 C
Dubai
Wednesday, November 29, 2023

Pulse Secure VPN Single Sign on with Azure AD

Pulse Secure is using RSA Authentication Server. Moving to Microsoft MFA so that users can use seamless single sign on like any other Office 365 Application , when you have multiple groups , its seamless to use azure ad object ids to associate different vpn profile for different set of users.

Create an Enterprise Application in Azure AD , Choose Pulse Secure VPN

Configure SAML Single Sign On

Entity ID – https://connect.azure365pro.com/dana-na/auth/saml-endpoint.cgi?p=sp1
Reply URL – https://connect.azure365pro.com/dana-na/auth/saml-consumer.cgi
Sign on URL – https://connect.azure365pro.com/vpn

As we will be passing multiple groups via SAML , Adding Group Claim in Attributes and Claims

Assigned Appropriate Groups in Users and Groups

Now we need to configure three things from Pulse Secure Side.

  • Auth Server
  • Realm
  • Sign in Page with the realm we are using

    Adding Auth Server –
    https://connect.azure365pro.com/dana-na/auth/saml-endpoint.cgi?p=sp1
    Uploading Metadata xml should populate this information

If you are planning to use Passwordless – It’s recommended to keep AuthRequest Empty. (Remove Password from AuthRequest)
Otherwise, Passwordless users may see this error

AADSTS75011: Authentication method ‘X509, MultiFactor’ by which the user authenticated with the service doesn’t match the requested authentication method ‘Password’ Contact the VPN application owner.

As per Microsoft RequestedAuthnContext┬áis an optional value. Then, if possible, ask the application if it could be removed.”

Added Different expressions for different roles

samlMultiValAttr@AZURE-MS.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/groups} = ('419f62ec-3c45-43b0-a95c-3819cad32b00')

Create a new sign in page with new realm created

Now the new sign page will directly re direct to Microsoft Azure AD Page , You can place conditional Access policy to have multi factor and decrease session frequency to 24 hours if you wish users to re authenticate.

To use conditional Access you will need Azure AD Premium P1 or P2 to stay compliant.

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?