2.12.2 Procedure for building a configuration system using IDaaS linkage (with the Microsoft Entra ID)

This section describes the procedure for building a configuration System using IDaaS linkage using the Microsoft Entra ID as the ID provider (IdP).

After the following configuration for Microsoft Entra ID, change to authenticate using IdP. For details about changing procedure to authenticate using IdP, see 2.12.4 Procedure for changing authentication method.

Configuration for HTTPS connection to the operation window

When you use the Microsoft Entra ID, you must change the configuration to use operation window of the management server with HTTPS connection.

For details about configuration of using operation window with HTTPS connection, see 2.11.4 Procedure for connecting to operation window using HTTPS.

Use the URL of the operation window: https://hoste-name-of-reverse-proxy-server:port-number/jp1itdm/jp1itdm.jsp

Important: The Remote Install Manager, the Packager, and the Network Access Control commands use HTTP communication with the JP1/IT Desktop Management 2 - Manager. For this reason, the port number for HTTP communication with Management Server (31080) should be permitted to connect by the firewall.

Registering the Root Certificate

When using Microsoft Entra ID, you must register the following root CA certificates in Java keystore of PC where JP1/IT Desktop Management 2 - Manager is installed. After registering the keys in the Java keystore, restart the JP1/IT Desktop Management 2 service.

Certificates for all root and subordinate certification authorities listed on the Microsoft's Azure Certification Authority details site^#.

If these certificates are not registered in Java keystore, download the certificate files from the Microsoft's Azure Certification Authority details site^# and run the following command at the command prompt for each certificate:

JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\uCPSB\jdk\jre\bin\keytool.exe -import -file path-of-the-certificate-file-to-import -alias unique-arbitrary-name -keystore JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\uCPSB\jdk\jre\lib\security\cacerts

When the command is executed, you are asked to type a password to import the server certificate. Type the password. The default password is changeit.

#: https://learn.microsoft.com/ja-jp/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list

Register apps to Microsoft Entra ID

Set authentication information for authenticating using the app on Microsoft Entra ID group. The setting items and setting values are listed in the following tables.

Register two apps: one for the authorization code flow and one for password authorization. Set the same value except for the name of the app.

The authorization code flow is used to authenticate from the operation window, and the password authentication is used to authenticate from the Remote Install Manager, the Packager, and the Network Access Control commands.

Function	Setting items		Setting values	Default
App Register	Name		Enter any value	--
	Supported Account Types		Accounts that contain only this organizational directory	Accounts that contain only this organizational directory
	Platform-specific Selection		Web	--
	Redirected URI		`https://hoste-name-or-IP-address-of-reverse-proxy-server:port-number/jp1itdm/idaas.jsp`	--
	Application (Client ID)		Automatically generated value^#1	--
Authentication	Implicit Allowed and Hybrid Flows		ID tokens (used for implicit and hybrid flows)	--
Certificate and Secret	Client secret	Description	Enter any value	--
		Valid term	Enter any value	Recommended: 180 days (6 months)
		Value	Automatically generated value^#2	--

Legend: --: Not applicable

#1: Specify this item value for the application for authorization code flow in the client secret param.auth_code.client_secret in the IDaaS linkage configuration file (jdn_idaas_auth.conf). For the parameter param.ropc.client_id, specify this item value for the app for password authorization.

#2: Specify this item value for the application for authorization code flow which is obfuscated at the client secret param.auth_code.client_secret in the IDaaS linkage configuration file (jdn_idaas_auth.conf). For the parameter param.ropc.client_secret, specify this item value for the app for password authorization which is obfuscated.

Disable multi-factor authentication at the user level

Use the following procedure to disable multi-factor authentication (MFA) at the user level.

Log in to the Microsoft Entra ID with the Microsoft user account.
Open Users - All Users - MFA for each user.
Select users who work with the JP1/ IT Desktop Management 2.
Select Disable MFA.

Create Conditional Access policies

To control multi-factor authentication at the app level, create Conditional Access policies to the app. This operation should be performed by an administrator user with the Conditional Access Administrator role in Microsoft Entra ID.

Note: Apps for the Remote Install Manager, the Packager, and the Network Access Control commands do not require to create Conditional Access policies.

The setting items and setting values are listed in the following tables.

Function	Setting items	Setting values	Default
Conditional Access policies	Name	Enter any value	--
	User	Select users who work with the JP1/IT Desktop Management 2	None
	Target resource	Resources (formerly cloud apps)	Resources (formerly cloud apps)
		Target	Target
		Select resource	None
	Filter Edit	None	None
	Select	The app name for JP1/IT Desktop Management 2^#1 which you create in Register apps to Microsoft Entra ID.	None
	Network	Not configured	Not configured
	Condition	Not configured	Not configured
	Allowed	Assigning Access	Assigning Access
		Set any authentication method	--
		Set any value	Requires all of the selected controls
	Session	Not configured^#2	Not configured

Legend: --: Not applicable

#1: Specifies the name of the app that you register for the authorization code flow.

#2: The sign-in frequency is the maximum duration of the SSO session, not session idle.

To Page Top