1Kosmos as an External Authentication Method for Microsoft Entra ID
Video Transcript
Rob:Okay. Sheetal, I do believe we are alive.
Hi everybody. Welcome to our latest IBA Friday. I am Rob. And as always, I am joined by Sheetal. Sheetal, how are you today?
Sheetal:
I'm very well. How are you?
Rob:
I'm doing good.
Sheetal:
Having a awesome summer?
Rob:
Good week this week. Kids are back to school, yes?
Sheetal:
Yes. Good day.
Rob:
Awesome. Happy days are here again. Okay. So Sheetal today I want to introduce everybody to what we're going to be doing here with IBA Friday. Over the next couple of weeks, Microsoft has recently released a new feature in Entra ID, and it's called an external authentication method. So that feature is to allow more customers to expand their use of companies like 1Kosmos, to use our identity-based authentication and passwordless capabilities in far more Microsoft environments while maintaining their conditional access policies, which I think you're going to cover here in a little bit.
But enabling us, 1Kosmos, as an external authentication method allows organizations to obviously seamlessly protect Microsoft Resources in addition to those platforms that fall outside of the Microsoft coverage. So you get more of a consistent authentication experience across the board. Now, as an EAM, that doesn't mean you necessarily need to replace all of the Microsoft MFA capabilities, but it gives organizations an option to now use other methods to go in and actually authenticate users.
So as part of that, the next number of IBA Fridays, we're going to talk about different use cases that you can leverage 1Kosmos in conjunction with Entra ID to bring together a better together story. Microsoft Entra ID is good, but when you add 1Kosmos, it becomes better, right? Because there's so many more things you can do. So in that vein, and with the new external authentication method and that new functionality that Microsoft has kind of brought to the table, tell me a little bit about that, Sheetal, and what that means and what kind of organizations can and how they would go about taking advantage of this new capability that Microsoft has offering?
Sheetal:
Yeah, yeah, absolutely. So some of our largest customers today use Entra ID, use ADFS as their primary identity provider, and they're using that for access to different applications. And of course in that whole ecosystem, how can 1Kosmos participate, right? There's already an IDP, what is 1Kosmos really doing there in that particular picture? The other core concept that Entra ID provides, and I think one of the most loved features from Entra ID is of course the conditional access. So conditional access is Microsoft's framework or engine that sort of combines different signals based on a user's identity or device risk, and it is able to provide decisions whether somebody should be given access or not. So that's a powerful decisioning engine that's sitting behind Entra ID right there.
Now, in this whole ecosystem, what has happened is that a lot of customers when they were first on DFS did have other authentication providers like 1Kosmos, right? And our customer sort of love us for a particular reason because we are able to bring passwordless phishing-resistant MFA into the picture. In this particular ecosystem with the introduction of external authentication methods, what it allows a customer to do is to leverage your existing username, password validation from Entra ID, but really go ahead and transition to another provider for any kind of passwordless or phishing-resistant MFA, right? So this is what external authentication methods is all about, how a customer can leverage and existing authentication provider in the mix.
So the end user experience is going to be that your user comes in, they can authenticate username and password, but at that time it's going to say, let's go ahead and use 1Kosmos. So the user is able to receive a push notification, provide device biometrics, and then authenticate. So this feature is typically designed for any customer who's currently on ADFS looking to migrate to Entra ID, but does not really want to disrupt the end user experience. So for anyone who's already been one using 1Kosmos for a really long time, if you want to continue using our best features, external authentication methods is going to provide us that way forward.
The other thing that we are able to bring into the picture for a customer who's strong on the Microsoft ecosystem is the fact that we can bring identity into the mix. Which means that, let's say you have a set of privileged users who really need the highest level of assurance. So these set of users would first be authenticating with username and password with Entra ID. But after that, when it comes to 1Kosmos, they would leverage our authenticator to authenticate the user with a live face or just with strong device biometrics. And these are capabilities which are not natively present with many of the other authenticators in the market. So when you do this, you are truly able to stay in your Microsoft ecosystem, but leverage the best of 1Kosmos capabilities when it comes to device biometrics.
So that's really what we've learned with how this ecosystem helps us play really well with Entra ID, and this partnership's going to take us far.
Rob:
Yeah, for sure. So I've got the demo video today, Sheetal. So why don't we just kind of quickly walk through how to set this up and then what that user experience looks like for an end user and for an admin for that matter. So let me go ahead and share my screen. Let me know if you can see that, Sheetal.
Sheetal:
Yes, I can see that.
Rob:
I'm assuming everybody else can then, right?
Sheetal:
Yes, they can.
Rob:
Awesome. Okay. So what you're looking at right now is basically the control plane. So the Entra ID management console, and there's three things that we need to enter in to make this work. And those three things, let me just kind of scan through here really quickly, are the client ID, the discovery endpoint and the app ID. So once we have those three things put together or those three things entered, we can then go about sending a user off to do authentication with 1Kosmos as an external authentication method. And in this case, what I'm going to show is Office 365, or Microsoft 365, they changed the name.
So I'm going to quickly hit play here and the client ID and the discovery endpoint are actually found in our AdminX control plane. So you're going to go in and you're going to grab both of those from these areas. So here under the ad application, we're going to grab the client ID. We're then going to paste that back into Entra, and then I'll just skip forward here. Here we're looking at the authentication server in the AdminX control plane for 1Kosmos. I want to copy that. We're going to paste that into the discovery endpoint. And the app ID is actually from Entra itself. And here admins are going to go into the Entra control plane. They're going to go down and select the application ID, which is found under the Entra ID settings and the app registration.
So once that's done, and those are all kind of placed in here, I'm just going to skip forward because we don't want to spend too much time on all this. This videos' going to be available on our website soon. The next thing we want to do is set up well, how is the user going to authenticate once they put in their user? So once they get redirected to 1Kosmos, what's that authentication experience look like? So in this case, we're just going to put the user through an authentication using our 1Kosmos BlockID app, and with the 1Kosmos BlockID app, we're going to go into the multifactor authentication settings, passwordless login, and then select how we want the user to authenticate. And in this case, because we're using the app, we can then use the device-based, biometric, the face ID and or touch ID, whichever one is available. We can do a pin or we can do our live ID if you want, but we're just going to do face and touch.
So I'm going to skip this because I put it backwards. So now when we go to sign in, it's the same process. So user's going to click sign in, they're going to enter in their email address, they're then going to enter in their password. And then it's going to be like, oh, Entra is going to be like, oh, okay, well, the authentication is going to take place now with 1Kosmos, so it's going to redirect to 1Kosmos. And the user's going to get QR code. They're going to open up the app, which you see here on the right. They're going to scan that QR code with the app, give us their face ID, and they're in.
There's not a lot to it, right? It's pretty straightforward. It's pretty quick, pretty simple, even from an administration standpoint. And from a user experience standpoint and security standpoint, because we're using the biometric, you have a fairly high level of assurance for that user that's actually authenticating into your Microsoft environment, right?
Sheetal:
Absolutely right. Yep.
Rob:
Cool. So with that, Sheetal, that's what we want to kind of show today, right?
Sheetal:
Yep.
Rob:
So our next IBA Friday, we're going to get into a couple of different use cases. We're going to talk about self-service password reset. We're going to talk about self-service onboarding. We're going to talk about verified identities, how you can extend passwordless into other areas of the business that fall outside of the Microsoft coverage and a bunch of other stuff. So stay tuned. You'll see additional posts from us about when our next IBA Friday is, so keep an eye open and we look forward to seeing you on the next one. Sheetal, thanks again.
Sheetal:
Thank you.
Rob:
And we'll talk to everybody again very soon.