Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Setting up Microsoft Entra for OIDC-based Single Sign-On (SSO)

By sueann.see@ideagen.com
  • Last updated
⌘ K
Search this article
Print this article

Who is this article for?

Administrators responsible for managing organization security settings in Ideagen Hub.

Admin Console access is required.

You can set up Microsoft Entra as your corporate identity provider (IdP) in Ideagen Hub using SAML or OIDC. To use an external identity provider like Microsoft Entra, you will need to ensure the Hub user's authentication type is set to External.

This article outlines how to configure a new OIDC app in Microsoft Entra and link it to Ideagen Hub.

1. Creating an OIDC app

To create an OIDC app in Microsoft Entra:

  1. Log in to to the Entra portal.
  2. Navigate to App registrations.

  3. Click New registration to create a new app.

2. Configuring the OIDC app

To configure your OIDC IDP in Ideagen Hub:

  1. Sign in to Ideagen Hub. 
  2. Navigate to the Admin Console.
  3. Go to the Security Center.
  4. Select Authentication.
  5. Select Eternal IDP Configuration
  6. Click Add Identity Provider.
  7. Select OIDC.
  8. Click Next. 
  9. Enter a Provider name. This name will appear as the sign-in button label at the sign-in page.
  10. Complete the remaining mandatory settings based on instructions in the sub-sections below, then click Apply Configuration save the IDP configuration in Ideagen Hub.

2.1. Client ID and Client Secret

You will need a client ID and secret when setting up the OIDC IdP in Ideagen Hub. 

2.1.1. Microsoft Entra

To obtain the client ID and secret from the Microsoft Entra app you created:

  1. Once the App is created, you can copy the Application (Client) ID.
    This is the Client ID to be configured in Ideagen Hub.
  1. Go to Certificates & secrets.
  2. Click New client secret.
  3. Enter a meaningful Description.
  4. Set the Expiry time according to your company policies.
  1. Once created, copy the Value.
    This is the Client Secret to be configured in Ideagen Hub.

2.1.2. Ideagen Hub

To configure the Client ID and Client in Ideagen Hub:

  1. Go to the OIDC Configuration screen.
  2. Enter the Client ID and Client secret you have retrieved from Microsoft Entra.

2.2. Redirect URL

The Redirect URL for Ideagen Hub needs to be added to the Micrsoft Entra app.

2.2.1. Ideagen Hub

In Ideagen Hub, copy the Redirect URL displayed at the top of the OIDC Configuration screen.

2.2.2. Microsoft Entra

To set up the Redirect URL in Microsoft Entra:

  1. Navigate to Overview.
  2. Open the Manage menu.
  3. Select Authentication (Preview).
  4. Click Add Redirect URI.
  5. Select Web.
  1. Paste the Redirect URI copied from Ideagen Hub.
  2. Click Configure.

2.3. Authorized scope

In Ideagen Hub, you will need to configure the required authorized scope. Ideagen Hub only populates openid by default. You will need to populate the additional scope as required, separated with spaces.

Refer to this page ID token claims reference - Microsoft identity platform for information on the scope required for each claim.

For example, you will need to add:

  • profile scope to use the preferred_username claim
  • email scope to use the email claim
  • profile scope to use the name claim.

2.4. Attribute request method

In Ideagen Hub, select one of the methods for the attribute request method. For example, GET. Both GET and POST methods should be supported by Microsoft Entra. 

2.5. Issuer URL

2.5.1. Microsoft Entra

To retrieve the Issuer URL from Microsoft Entra:

  1. Navigate to Overview.
  2. Go to Endpoints.
  3. Get the OpenID Connect metadata document URL.
  1. Open the metadata document using a web browser.
  2. Copy the Issuer URL.

2.5.2. Ideagen Hub

To set up the Issuer URL in Ideagen Hub:

  1. Go to the OIDC Configuration screen. 
  2. Select Auto fill through issuer URL.
  3. Paste the Issuer URL obtained from Microsoft Entra.

3. Configuring attribute mapping

In most cases, you will be required to map both the email and preferred_username values in Ideagen Hub.

3.1. Email attribute

In Ideagen Hub, on the OIDC Configuration screen, you will always see email listed as a fixed User pool attribute that you need to map. By default, Microsoft Entra ID's Enterprise Application includes a pre-configured claim named email that is mapped to user.mail.

To set up the email attribute in Ideagen Hub, enter email as the OpenID Connect attribute next to the email User pool attribute.

3.2. Username attribute

In Ideagen Hub, on the OIDC Configuration screen, if you see preferred_username listed as a fixed User pool attribute that you need to map, ensure it is mapped to an attribute from your IdP that contains a unique and consistent identifier for each user.

3.2.1. Pre-configured claim

By default, Microsoft Entra ID's Enterprise Application includes a pre-configured claim named preferred_username mapped to user.userprincipalname. Assuming that user.userprincipalname contains a unique value for each user, you can copy the default claim name to be mapped to the preferred_username attribute in Ideagen Hub.

Note

If you are using preferred_username, you will need to ensure that the Username value created/imported in Ideagen Hub user management is consistent with the value returned from preferred_username, which follows the format of user@domain.com.

3.2.3. Custom claim

You can also use any other unique value that is not included in the default claims provided by Microsoft Entra as the preferred username.

For example, if your organisation uses Employee ID as a unique identifier, you can create a custom claim to map Microsoft Entra's Employee ID to the preferred_username user pool attribute in Ideagen Hub.

To create a new claim:

  1. Go to the application in the Entra portal.

  2. Navigate to Overview.

  3. Click Manage applicationi n local directory.

  1. Open the Manage menu.

  2. Select Single sign-on.

  3. Click Edit next to Attributes & Claims.

  1. Click Add New claim.

  2. Enter a Name for the claim.

  3. Ensure you select a Source attribute that will return the user's email address (e.g., user.employeeid).

  4. Click Save.

After adding the new attribute, configure the application to permit these changes. For a single-tenant app, like ours, the easiest method is to update the application manifest to recognise the modified claims.

To use this custom claim, copy its claim name. This value will be used later to map to the preferred_username user pool attribute in Ideagen Hub.

If you are using employee_id, make sure that the Username value created or imported in Ideagen Hub user management matches the value returned from employee_id. You can verify this in Microsoft Entra.

Further reading

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page