Skip to main content

I love the Azure AD login feature and can’t wait to start using this.

The Azure AD accounts at our company are enforced with MFA. This means that when we login with our Azure AD account in any Office 365 application we must approve this request (just as we can do with the IAM users).

My question is: Does this work when I switch the IAM users to Azure AD users? Can they login with the Azure AD user/password and MFA approval?

And as an follow-up question. Do the users need to approve the login with MFA every time they login to the Software Factory Application (Windows / Web / Universal), or can this be cached for some period?

MFA only works on indicium universal (using OpenID). Using Universal GUI with indicium universal it's possible to cache the login. It's possible to switch the users from IAM users to azure AD users, just make sure the users have authentication type "external” in IAM. 

A detailed explanation can be found here: 

https://community.thinkwisesoftware.com/news-updates-21/sign-in-with-the-choice-is-yours-1446


Hi @efitskie 

In addition to Erwin’s comment I would like to mention a few things:

  • SSO and MFA with Azure AD works like a charm for Universal GUI, we are about to go live with it after extended testing and waiting for some improvements from Thinkwise
  • In correction to the answer of Erwin: the caching of login details and frequency of MFA is not dependent on Thinkwise since authentication is left to the external Open ID provider. This is entirely based on your Azure AD configuration for MFA and (optionally) Conditional Access policies your organization uses
  • The blog Erwin is referring to, is not entirely complete, the docs here are a bit better to start with: https://docs.thinkwisesoftware.com/docs/deployment/indicium.html#integrate-an-external-identity-provider-into-indicium
  • EDIT 13-07-2021: The docs are now up to date on the latest change since Indicium 2021.2.12/13 regarding setting a default identity provider
  • Be aware that each Open ID provider has their particularities, in order to get Azure AD working with Thinkwise you need to do Register App in Azure AD and make sure to add ‘email’ als optional Claim Type
  • Another advice from the trenches: be aware that some very specific scenarios are resulting in HTTP 500 screens after being redirected from Microsoft back to your application: make sure to check the Indicium log for clues
  • In order to set a user to Azure AD authentication all you have to do is change authentication type in IAM from IAM to External (make sure the email is correctly set in IAM)
  • Note that when you change from IAM to External the existing password (and optionally TOTP registration information) of the user persists in the Thinkwise DB. I plan to raise an Idea soon to suggest this information is automatically deleted when changing from IAM to External (or any of the other authentication types for which it is not needed to store PW info in Thinkwise). The great thing about OpenID is not only an improved User Experience, but also improved security as (different) user credentials no longer need to be stored in multiple application databases.

Reply