Pulse Secure is using RSA Authentication Server. Moving to Microsoft MFA so that users can use seamless single sign on like any other Office 365 Application , when you have multiple groups , its seamless to use azure ad object ids to associate different vpn profile for different set of users.
Create an Enterprise Application in Azure AD , Choose Pulse Secure VPN
Configure SAML Single Sign On
Entity ID – https://connect.azure365pro.com/dana-na/auth/saml-endpoint.cgi?p=sp1
Reply URL – https://connect.azure365pro.com/dana-na/auth/saml-consumer.cgi
Sign on URL – https://connect.azure365pro.com/vpn
As we will be passing multiple groups via SAML , Adding Group Claim in Attributes and Claims
Assigned Appropriate Groups in Users and Groups
Now we need to configure three things from Pulse Secure Side.
- Auth Server
- Realm
- Sign in Page with the realm we are using
Adding Auth Server –
https://connect.azure365pro.com/dana-na/auth/saml-endpoint.cgi?p=sp1
Uploading Metadata xml should populate this information
If you are planning to use Passwordless – It’s recommended to keep AuthRequest Empty. (Remove Password from AuthRequest)
Otherwise, Passwordless users may see this error
AADSTS75011: Authentication method ‘X509, MultiFactor’ by which the user authenticated with the service doesn’t match the requested authentication method ‘Password’ Contact the VPN application owner.
As per Microsoft “RequestedAuthnContext is an optional value. Then, if possible, ask the application if it could be removed.”
Added Different expressions for different roles
samlMultiValAttr@AZURE-MS.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/groups} = ('419f62ec-3c45-43b0-a95c-3819cad32b00')
Create a new sign in page with new realm created
Now the new sign page will directly re direct to Microsoft Azure AD Page , You can place conditional Access policy to have multi factor and decrease session frequency to 24 hours if you wish users to re authenticate.
To use conditional Access you will need Azure AD Premium P1 or P2 to stay compliant.
