Microsoft Entra ID - OIDC
Learn how to set up OpenID Connect (OIDC) Single Sign-On (SSO) using Microsoft Entra ID (Azure AD), with step-by-step instructions for application registration.
Step-by-step guide to configure Single Sign-On with Microsoft Entra ID using OpenID Connect
This guide walks you through configuring Microsoft Entra ID as your OIDC identity provider for the application you are onboarding, enabling secure Single Sign-On for your users. You’ll learn how to register an application, configure OIDC settings, obtain client credentials, and assign users to the application. By following these steps, your users will be able to seamlessly authenticate using their Microsoft Entra ID credentials.
-
Get the redirect URI
Section titled “Get the redirect URI”Sign into the SSO Configuration Portal, select Microsoft Entra ID, then OIDC, and click on Configure
Under Service Provider Details, copy the Redirect URI. You’ll need this when registering your application in Azure.
-
Register the application
Section titled “Register the application”Login to Microsoft Entra ID in the Microsoft Azure Portal. Select the option for Entra ID application and locate the App registrations tab.
Click on New registration at the top of the page.
Give your application a name and configure the settings. For Redirect URI, select Web and paste the URI you copied in step 1. Click on Register.
-
Get the client credentials
Section titled “Get the client credentials”After registration, copy the Application (client) ID from the application’s Overview page.
Navigate to Certificates & secrets under Manage in the left sidebar.
Click on New client secret. Add a description and select an expiration period, then click Add.
Copy the Value of the client secret.
-
Get the issuer URL
Section titled “Get the issuer URL”Navigate to Endpoints in the application overview or find it in the left menu. Copy the OpenID Connect metadata document URL or the Authority URL.
The issuer URL typically follows this format:
https://login.microsoftonline.com/{tenant-id}/v2.0 -
Configure API permissions (optional)
Section titled “Configure API permissions (optional)”Go to API permissions under Manage and click on Add a permission. Select Microsoft Graph, then Delegated permissions.
Search for and add the following permissions:
emailprofileopenid
Click on Add permissions at the bottom.
-
Configure token claims (optional)
Section titled “Configure token claims (optional)”Go to Token configuration under Manage. Click on Add groups claim if you need group information in the token.
To add optional claims like
email,given_name, andfamily_name, click Add optional claim. -
Assign users and groups
Section titled “Assign users and groups”Go to the Users and groups tab, and click on Add user/group.
Here, please select all the required users or user groups that need login access to this application via Single Sign-On.
-
Configure the SSO Portal
Section titled “Configure the SSO Portal”Back in the SSO Configuration Portal, under Identity Provider Configuration, enter the Client ID, Client Secret, and Issuer URL copied from the previous steps.
-
Test the connection
Section titled “Test the connection”Click on Test Connection. If everything is done correctly, you will see a Success response as shown below.
If the connection fails, you’ll see an error, the reason for the error, and a way to solve that error right on the screen.
-
Enable the connection
Section titled “Enable the connection”Click on Enable Connection. This will let all your selected users login to the new application via your Microsoft Entra ID OIDC SSO.
With this, we are done configuring your Microsoft Entra ID application for an OIDC SSO login setup.