Menu

β„Ή️ What is JBoss? What is JBoss Domain Management ? πŸ› ️ Install JBOSS-EAP 6.4 πŸ“œ Start & Stop JBOSS script. πŸš€ Application Deployment Methods - 1. πŸš€ Application Deployment Methods - 2. πŸš€ Application Deployment Methods - 3. ⚙️ Multiple Instance of JBoss EAP. πŸ” SSL on JBOSS EAP. 🧰 WINDOWS service for JBOSS EAP. πŸ› ️ JBoss EAP 7 - DOMAIN Installation. πŸš€ DOMAIN DEPLOYMENT - GUI MODE. πŸ” SSL on JBOSS 7.1 Admin console & Application. 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Issue SocketTimeoutException 🧰 JBoss-Remote JMX Connection (jvisualvm) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🧯 Out of space in CodeCache 🧯 java.sql.SQLRecoverableException: Closed Connection 🧯 sun.security.provider.certpath.SunCertPathBuilderException πŸ“ˆ JBOSS EAP 6 TO 7 Migration πŸ” Host Header injection on JBOSS EAP 7.2 πŸ” Encrypting Datasource Passwords using Vault in JBOSS
β„Ή️ Some useful links of IBM. πŸ› ️ WAS Installation using command line. πŸ› ️ Installing Suppliments (IHS/Plugins/WCT) command line. πŸ› ️ Uninstalling Suppliments (IHS/Plugins/WCT) command line. πŸ“ˆ Installing fix-pack using command line. β„Ή️ Profiles in WebSphere® Application Server ND. πŸ“œ WebSphere Profiles list & Basics Commands πŸ› ️ Commands for Custom / Application server / Dmgr Profiles πŸ› ️ Creating WAS-ND Cluster using GUI MODE. πŸš€ Application Deployment on WAS-ND - Cluster Env. πŸ“œ Analyze - JVM logs. 🧰 What is MustGather script ? 🧯 PsList to troubleshoot high CPU usage in Windows πŸ› ️ WebSphere App Server - Updating ports in existing profiles πŸ› ️ Installation Manager (IM) on non-default location πŸ› ️ Websphere Base or ND Installation using Command πŸ“ˆ Install or Update FIXPACK on WebSphere 8.5.+ πŸ› ️ Install SDK 8.0 on Websphere 8.5.5.9+ using Command method. πŸ› ️ How to Create a Clone of any profiles on WAS. πŸ› ️ Installation Manager (IM) on non-Administrator user. πŸ› ️ WebSphere Application Server 7.0.0.X & FIXPACK install / Update on the non-default location. πŸ“ˆ WebSphere ND Migration 7.0 to 8.0 / 9.0 πŸ› ️ IBM WebSphere 9.0.0.0 and IHS (IBM HTTP SERVR) Installation with Fixapck using Command Line (non-root) user
πŸ› ️ Configure IHS (IBM HTTP Server) with WAS 8.5.X.X. πŸ› ️ Multiple IHS in front of WAS (On Single Install). πŸ“Š Monitor IBM HTTP Server connections. πŸ” Self-signed Cert using ikeyman tool. πŸ” Self-Signed Cert using command line. πŸ” Decrypt Stash File.
🌐 Apache HTTP Server β„Ή️ HTTP STATUS CODES πŸ“œ Apache Rewrite Rules πŸ› ️ How to configure Apache MPM. πŸ› ️ Install Apache HTTP Server 2.4.27 ver. on LINUX πŸ› ️ Apache Tomcat - 9.0.0.M21 Installation on WIN 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Apache error : Server ran out of threads to serve requests (Windows) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🌐 Redirect traffic during maintenance 🧯 httpd (Apache) Error: systemd-tty-ask-password-agent tool! πŸ” SSL certificate supports Weak Ciphers πŸ” How to install opensource mod_security on Apache 2.4 πŸ“ˆ How to upgrade opensource apache from 2.4.39 to 2.4.46 (Minor Version Upgrade). πŸ› ️ What is Nginx & How to install on RHEL πŸ› ️ Install Nginx plus on RHEL 7.4 / UNIX πŸ“Š Monitor Apache httpd process/thread status πŸ“Š Monitor Apache httpd ModJK status πŸ“Š Monitor Apache httpd Proxy balancer-manager status πŸ“Š Monitoring of JBoss servers through Nagios.
πŸ›‘️ Tomcat ghostcat vulnerability (JBoss /Tomcat) πŸ›‘️ SSL certificate supports Weak Ciphers/Encoding (3DES) (Apache 2.4) πŸ›‘️ SSL Medium Strength Cipher Suites Supported (SWEET32) [Tomcat Server] πŸ›‘️ ETag vulnerability & X-Powered-By : jsp/2.2 πŸ›‘️ Missing Security Header(x-xss-protection) & Clickjacking πŸ›‘️ Disable HTTP TRACE / TRACK / OPTIONS/DELETE Method. πŸ›‘️ Information disclosure through server response headers Apache-Coyote & X-Powered-By (JBoss) πŸ›‘️ Local File Inclusion Vulnerabilities OR Directory traversal attack πŸ›‘️ HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Restrict application Accessible by IP Address & HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Disable/Remove Server: Apache header info version (Apache2.4) πŸ” TLS1.2 Protocol enable for IBM WebSphere with SSL Handshake Debug
🌩️ How I Cleared My AZ-900 Microsoft Azure Fundamentals Exam 🌐🧱 Enterprise Network Architecture — Akamai, DNS, WAF, DMZ, SSL & Firewall Flow Explained for Middleware & DevOps Engineers 🌩️ AZ-104 Microsoft Azure Administrator 🌩️ Cloud Computing Basics
⚙️ DevOps vs DevSecOps Explained:Learning Path for Beginners πŸ’» Top 100+ Linux Commands for Middleware & DevOps Engineers 🐧 Linux Shell Scripting for Beginners – Complete Tutorial Series πŸ” Preparing WinRM on Windows Server over HTTPS for Automation (5986) πŸ” WAS Service Restart Using WinRM over HTTPS (5986) on Azure DevOps
☕ how-to-manually-install-new-java-path ☕ SunCertPathBuilderException ☕ out of space in CodeCache for adapters ☕ What is GC , Heap Memory & Metaspace ? ☕ Types of GC , analyze GC logging and REDHAT JVM Tool. πŸ§ͺ How to make datasource test-connection to Oracle / PostgreSql / MSSQL DB Instance.. πŸ§ͺ How to make datasource test-connection to MSSQL DB Instance πŸ§ͺ How to make datasource test-connection to Postgresql DB Instance πŸ§ͺ How to make datasource test-connection to Oracle DB Instance πŸ§ͺ How to Check DB latency using Datasource Test-Connection ☕ Install a new java path to the alternatives 🧰 Xmanager and Set Display. πŸ› ️ Install LAMP on SUSE Linux with example
πŸ” Openssl Commands for Wildcard & SAN certificates. πŸ” What is SSL, What is One-Way SSL & Two-Way SSL? πŸ” Openssl Self-Signed SAN's certificate πŸ” SSL certificate supports Weak Ciphers πŸ” Some SSL issues (Client TLS1.2 , Truststore & SSL debug) with Solutions πŸ” TLS / SSL Certificate Lifetimes Reduced to 47 Days. πŸ” SSL Certificate Renewal on Akamai WAF and Its Impact on Applications. ✨ Worked on VMC SSL Today – A Simple Explanation for Everyone πŸ“ŒWebSphere Outbound SSL & SNI – Troubleshooting Guide
🏒 Enterprise Authentication & Identity Security Series πŸ” Part 1 - What is Authentication? πŸ†” Part 2 - Sessions, Cookies & JSESSIONID ⚖️ Part 3 - Stateful vs Stateless Applications 🎫 Part 4 - JWT (JSON Web Token) & Token-Based Authentication πŸ“Š Part 5 - JWT vs Session vs Cookies Explained πŸšͺ Part 6 - API Authentication & API Gateway Security πŸ”„ Part 7 - OAuth2, OIDC & SAML Explained ☁️ Part 8 - SSO (Single Sign-On), MFA & Microsoft Entra ID 🟦 Part 9 - WebSphere LTPA, Sticky Sessions & Session Replication πŸ›‘️ Part 10 - Zero Trust Security & Authentication Risks
Showing posts with label Multi-Factor Authentication. Show all posts
Showing posts with label Multi-Factor Authentication. Show all posts

15 Jun 2026

🧩 SSO , MFA (Multi-Factor Authentication) & Microsoft Entra ID Authentication Explained - Part 8

SSO (Single Sign-On), MFA (Multi-Factor Authentication) & Microsoft Entra ID Authentication Explained
  • Welcome to Part 8 of the Authentication & Identity Security series.
  • This article explains SSO (Single Sign-On), MFA (Multi-Factor Authentication), and Microsoft Entra ID authentication.
  • Designed for Middleware, DevOps, Cloud, Security, and Application Support Engineers.
  • Includes enterprise examples using Microsoft Entra ID, SSO (Single Sign-On), MFA (Multi-Factor Authentication), Conditional Access, OIDC (OpenID Connect), SAML (Security Assertion Markup Language), and application integration.

Table of Contents

Introduction

In Part 7, we learned about OAuth2, OpenID Connect (OIDC), and SAML. These protocols are commonly used by enterprise identity platforms to provide secure application login and API access.

In this article, we will understand three important enterprise identity concepts: SSO (Single Sign-On), MFA (Multi-Factor Authentication), and Microsoft Entra ID (formerly Azure Active Directory).

Simple Understanding:
SSO (Single Sign-On) allows users to login once and access multiple applications. MFA (Multi-Factor Authentication) adds an extra verification step. Microsoft Entra ID is Microsoft's cloud identity platform that provides SSO, MFA, Conditional Access, and identity governance.

Common Terms Used in This Article

Abbreviation Full Form / Meaning
SSOSingle Sign-On
MFAMulti-Factor Authentication
Microsoft Entra IDFormerly Azure Active Directory
IAMIdentity and Access Management
OIDCOpenID Connect
OAuth2Open Authorization 2.0
SAMLSecurity Assertion Markup Language
JWTJSON Web Token
ADFSActive Directory Federation Services
APIApplication Programming Interface

What is SSO (Single Sign-On)?

SSO stands for Single Sign-On.

SSO allows users to authenticate once and access multiple applications without entering credentials again for every application.

SSO Flow

User
  │
  ▼
Identity Provider
(Azure Entra ID / Okta / ADFS)
  │
  ▼
Authentication Successful
  │
  ▼
Access Multiple Applications

Enterprise Example

User logs in once to Microsoft Entra ID
        │
        ├── Microsoft 365
        ├── ServiceNow
        ├── HR Portal
        ├── Azure Portal
        └── Internal Web Application

Benefits of SSO

  • Users remember fewer passwords.
  • Centralized authentication management.
  • Improved user experience.
  • Reduced password reset tickets.
  • Better audit and access control.

What is MFA (Multi-Factor Authentication)?

MFA stands for Multi-Factor Authentication.

MFA requires users to verify their identity using more than one factor.

Common MFA Factors

Factor Example
Something you know Password or PIN
Something you have Mobile phone, authenticator app, hardware token
Something you are Biometric verification

MFA Flow

User enters password
      │
      ▼
Password verified
      │
      ▼
MFA challenge
      │
      ▼
Authenticator App / SMS / Push Approval
      │
      ▼
Access granted
Security View:
MFA protects accounts even if the user's password is compromised.

What is Microsoft Entra ID (formerly Azure Active Directory)?

Azure Entra ID, now known as Microsoft Entra ID, is Microsoft's cloud-based identity and access management platform.

It helps organizations manage users, groups, applications, authentication, SSO, MFA, Conditional Access, and identity security.

Microsoft Entra ID Provides

  • User and group management
  • Single Sign-On
  • Multi-Factor Authentication
  • Conditional Access
  • Application registrations
  • Enterprise application integration
  • OAuth2 (Open Authorization 2.0), OIDC (OpenID Connect), and SAML (Security Assertion Markup Language) support
  • Access reviews and identity governance

Enterprise Authentication Flow

User Browser
      │
      ▼
Enterprise Application
      │
      ▼
Microsoft Entra ID
      │
      ▼
Password Authentication
      │
      ▼
MFA / Conditional Access
      │
      ▼
Token or SAML Assertion Issued
      │
      ▼
Application Access Granted

In this flow, the application does not directly validate the user's password. Instead, it redirects the user to Microsoft Entra ID, which performs authentication and returns a token or SAML assertion.

SSO Protocols: OIDC (OpenID Connect) and SAML (Security Assertion Markup Language)

SSO can be implemented using different protocols depending on the application type.

Application Type Recommended Protocol
Modern web application OIDC
REST API access OAuth2
Legacy enterprise web application SAML
Mobile application OIDC with PKCE
Partner federation SAML or OIDC

Conditional Access

Conditional Access is a policy-based security feature in Microsoft Entra ID. It evaluates conditions before allowing access.

Common Conditions

  • User or group
  • Application being accessed
  • Device compliance
  • Location or country
  • Sign-in risk
  • Client application type

Common Controls

  • Require MFA
  • Block access
  • Require compliant device
  • Require password change
  • Grant access only from trusted locations
User Login
   │
   ▼
Conditional Access Policy Check
   │
   ├── Trusted Device? 
   ├── Trusted Location?
   ├── MFA Required?
   │
   ▼
Access Allowed or Blocked
Example:
Require MFA when users access Azure Portal from outside the corporate network.

How to Setup SSO (Single Sign-On) and MFA (Multi-Factor Authentication) in Microsoft Entra ID

Example 1: Setup SSO for an Enterprise Application

  1. Login to Microsoft Entra Admin Center.
  2. Go to Enterprise applications.
  3. Select or create the application.
  4. Open Single sign-on.
  5. Choose protocol: SAML or OIDC depending on application support.
  6. Configure Identifier, Reply URL, Redirect URI, or metadata.
  7. Configure user attributes and claims.
  8. Assign users or groups to the application.
  9. Test SSO login.

Example 2: Enable MFA

  1. Go to Microsoft Entra Admin Center.
  2. Open Protection or Conditional Access.
  3. Create a new Conditional Access policy.
  4. Select target users or groups.
  5. Select target application.
  6. Under Grant controls, choose Require multifactor authentication.
  7. Enable policy in report-only mode first.
  8. Review sign-in logs and then enforce the policy.

Example Conditional Access Policy

Policy Name  : Require MFA for Azure Portal
Users        : Cloud Admins
Application  : Microsoft Azure Management
Condition    : Any location
Control      : Require MFA
Status       : Enabled
Production Tip:
Always test Conditional Access policies with pilot users before enabling them for all users. Keep at least one emergency break-glass account excluded from restrictive policies.

Middleware Application Integration Example

Modern OIDC (OpenID Connect) Application

User Browser
      │
      ▼
NGINX / Load Balancer
      │
      ▼
Application
      │
      ▼
Microsoft Entra ID
      │
      ▼
ID Token + Access Token
      │
      ▼
Application Session Created

Legacy SAML (Security Assertion Markup Language) Application

User Browser
      │
      ▼
IBM HTTP Server / Reverse Proxy
      │
      ▼
Legacy Enterprise Application
      │
      ▼
Microsoft Entra ID / ADFS
      │
      ▼
SAML Assertion
      │
      ▼
Application Access Granted

API (Application Programming Interface) Access with OAuth2 (Open Authorization 2.0)

Client Application
        │
        ▼
Microsoft Entra ID
        │
        ▼
Access Token
        │
        ▼
Azure API Management / API Gateway
        │
        ▼
Backend API

Middleware and DevOps teams often support these integrations by configuring reverse proxies, SSL certificates, redirect URLs, headers, application endpoints, load balancers, and logs.

SSO (Single Sign-On) vs MFA (Multi-Factor Authentication) vs Microsoft Entra ID

Concept Meaning Purpose
SSO (Single Sign-On) Login once and access multiple applications Login once and access multiple applications
MFA (Multi-Factor Authentication) Add extra verification during login Add extra verification during login
Microsoft Entra ID Cloud identity platform Provides SSO, MFA, Conditional Access, app integration
Conditional Access Policy-based access control Allow, block, or require MFA based on conditions

Common Issues

Issue Possible Cause
SSO login loop Cookie, redirect URI, or session issue
Invalid redirect URI Application URL mismatch in Entra ID
MFA prompt not appearing Conditional Access policy not applied
User cannot access application User not assigned to enterprise application
SAML assertion failed Certificate, metadata, NameID, or claim mismatch
Token validation failed Invalid issuer, audience, expiry, or signing key
Access blocked unexpectedly Conditional Access location/device/risk condition

Best Practices

  • Use SSO for enterprise applications to centralize authentication.
  • Enable MFA for privileged users and high-risk applications.
  • Use Conditional Access instead of enabling MFA blindly for everyone.
  • Use OIDC for modern applications and SAML for legacy applications when required.
  • Assign applications to groups instead of individual users.
  • Monitor sign-in logs and audit logs regularly.
  • Keep redirect URIs and reply URLs strict.
  • Rotate SAML certificates and application secrets before expiry.
  • Maintain break-glass emergency accounts.
  • Document application integration details for support teams.

Key Takeaways

  • SSO (Single Sign-On) allows users to login once and access multiple applications.
  • MFA (Multi-Factor Authentication) adds an extra verification layer beyond passwords.
  • Microsoft Entra ID was formerly known as Azure Active Directory.
  • SSO improves user experience and centralizes login.
  • MFA improves security by adding an extra verification step.
  • Conditional Access controls when and how access is granted.
  • Microsoft Entra ID supports OAuth2, OIDC, and SAML integrations.
  • Middleware teams should understand redirect URI, certificates, claims, headers, and logs for troubleshooting.

What’s Next?

Next Article:
Part 9 – WebSphere LTPA, Sticky Sessions & Session Replication

In the next article, we will understand WebSphere LTPA, sticky sessions, session affinity, and session replication in traditional enterprise middleware environments.

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by: No comments:
Tags: , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)