Configuring Microsoft Entra ID External Authentication Methods (EAM) application in Verify

Configure the Microsoft Entra ID EAM application in the IBM® Verify administration console.

Before you begin

You must have administrative permissions to complete this task.
Log in to the IBM Verify administration console.
Configure a Custom Token Type in Verify.

Procedure

Select Applications > Applications.
Select Add application.
Select Microsoft Entra ID EAM and select Add application.

Select the Sign-on tab and specify the following information:


Settings	Description
Redirect URIs	The redirect URI required by Entra ID. Leave the default value.
ID token hint custom token type	Specifies the Custom Token Type used to validate`id_token_hint` from Entra ID. For more information about Custom Token Type, seeManaging Custom Token Types.
Use default session lifetime	Specifies the session lifetime that is applied whenVerify is not the Identity Provider (IdP).
Authentication session expiry (secs)	Specifies the authentication lifetime whenVerify is not the Identity Provider (IdP).
Perform first-factor authentication when no valid session is present	Checked – When Verify is configured as the Identity Provider (IdP) for Entra ID, single-factor authentication (1FA) is required if no active login session is detected during two-factor authentication (2FA). Unchecked – An error is returned if no login session is found, or the user is provisioned through Just-In-Time Provisioning (JITP) when not available in Cloud Directory.
Access policies	Specifies the access policy for second-factor authentication.

Navigate to the Endpoint configuration section, and add the following custom mapping rules:

Target Attribute Value

amr

Target Attribute	Value
amr	`[idsuser.factors_completed .map(item, item.split(",")) .flatten() .map(f, f == "smsotp" ? "sms" : f == "emailotp" ? "otp" : f == "totp" ? "otp" : f == "voiceotp" ? "tel" : f == "fido2" ? "fido" : f == "signatures_face" ? "face" : f == "signatures_fingerprint" ? "fpt" : f == "signatures" ? "pop" : f == "signatures_userPresence" ? "pop" : f == "behavioral_biometrics" ? "vbm" : f == "password" ? "pwd" : f ) .filter(mapped, mapped in requestContext.claims_idtoken_amr)[0]]`
acr	`requestContext.claims_idtoken_acr`
sub	`requestContext["id_token_hint_claims"]["sub"]`

[idsuser.factors_completed
.map(item, item.split(","))
.flatten()
.map(f,
f == "smsotp" ? "sms" :
f == "emailotp" ? "otp" :
f == "totp" ? "otp" :
f == "voiceotp" ? "tel" :
f == "fido2" ? "fido" :
f == "signatures_face" ? "face" :
f == "signatures_fingerprint" ? "fpt" :
f == "signatures" ? "pop" :
f == "signatures_userPresence" ? "pop" :
f == "behavioral_biometrics" ? "vbm" :
f == "password" ? "pwd" :
f
)
.filter(mapped, mapped in requestContext.claims_idtoken_amr)[0]]

acr requestContext.claims_idtoken_acr

sub requestContext["id_token_hint_claims"]["sub"]

Click Save.