Skip to main content

SSO with Microsoft Entra ID OIDC

This guide will walk you through the steps to configure Microsoft Entra ID for OpenID Connect (OIDC) integration with your application.

Step 1: Register a New Application

  1. Navigate to App Registrations

    In the Azure portal, go to Azure Active Directory > App registrations.

  2. Create a New Registration

    Click on New registration.

    New Registration

  3. Register an Application

    • Name: Enter the name for the application (e.g., credoai-sso).
    • Supported account types: Choose the appropriate option for your scenario. If unsure, select Accounts in this organizational directory only.
    • Select the Redirect URI type: Choose Single-page application (SPA)
    • Redirect URI: Enter the URI of the application installation. This might look like https://credoai.<your-domain>/

    Once completed, click Register.

    Register Application

Step 2: Expose an API

  1. Navigate to Expose an API

    After registering your application, go to Expose an API under Manage.

    Expose an API

  2. Add a Scope

    Click Add a scope to define a new scope.

    • Scope name: Enter api. This will create a scope that looks like api://<client-id>/api. Copy this for later use in the application configuration.
    • Admin consent display name: Provide a description (e.g., Authorizes Credo AI application.).
    • State: Ensure it is set to Enabled.

    Click Add scope when done.

    Add Scope

Step 3: Configure App Roles

  1. Navigate to App Roles

    Go to App roles under Manage.

    Scope Details

  2. Create a New Role

    Click Create app role to define a new role for your application.

    • Display name: Enter a name for the role (e.g., Admin User).
    • Allowed member types: Select who can be assigned this role (e.g., Users/Groups).
    • Value: Enter a unique value (e.g., admin).
    • Description: Provide a description for the role.

    Click Apply when done.

    Create App Role

Step 4: Configure API Permissions

  1. Navigate to API Permissions

    Go to API permissions under Manage.

  2. Add API Permissions

    Click Add a permission.

    API Permissions

  3. Add API Permissions

    Choose Microsoft APIs > Microsoft Graph.

    Request API Permissions

    Click on Delegated permissions.

    Select Delegated Permissions

  4. Select Permissions

    Select the permissions to grant.

    • email
    • offline_access
    • openid
    • profile

    Select Permissions

  5. Remove Unnecessary Permissions

    Remove User.Read.

    Remove Unnecessary Permissions

  6. Request API Permissions

    Click Add a permission.

    Add Permissions

    Choose APIs my organization uses then select the application name you created earlier (e.g., credoai-sso).

    Add API Permissions

    Select api from the list of permissions.

    Select API Permissions

  7. Verify Permissions The permissions should now be listed under API permissions.

    Token Configuration

Step 5: Configure Claims

  1. Navigate to Token Configuration

    Go to Token configuration under Manage.

  2. Add Claims

    Click Add optional claim to configure additional information that will be included in the tokens.

    Add Claim to ID Token

  3. Select Claims for ID Token

    • Token type: Choose ID.
    • Select the claims acct, email, family_name, given_name, and upn.

    Click Add when done.

    Select Claims Claim Details

  4. Repeat for Access Token

    Click Add optional claim to configure additional information that will be included in the tokens.

    Add Claim to ID Token

    • Token type: Choose Access.
    • Select the claims aud, email, family_name, given_name, and upn.

    Add Claim to ID Token Add Claim to ID Token

    Click Add when done.

  5. Verify Claims

    The claims should now be listed under Token configuration.

    Token Configuration

Step 6: Review Application Overview

  1. Application Essentials

    Go to the Overview section to review essential details like Application (client) ID, Directory (tenant) ID, and other important information.

    Application Overview

Step 7: Update Application Manifest

  1. Modify the Manifest

    We suggest enabling version 2 of token endpoint. To do this, you will need to update the manifest directly. Go to the Manifest section.

    Find accessTokenAcceptedVersion and set it to 2.

    Update Manifest

    Click Save.

Step 8: View Endpoints

  1. View Endpoints

    In the Overview section, scroll down to Endpoints to get the URLs necessary for OIDC configuration in your application.

    Retrieve Endpoints

    Navigate to the URL called OpenID Connect metadata document. This will be of the form:

    https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/.well-known/openid-configuration

    This will open a page with a lot of URLs. You will need the following:

    • issuer
    • userinfo_endpoint
    • jwks_uri

    OpenID Configuration

Step 9: Configure Credo AI

Under the SSO Settings tab, enter the following:

  • Client ID: The value of the client_id you noted earlier.
  • ID Token Audience: The value of the client_id you noted earlier.
  • Access Token Audience: The value of the client_id you noted earlier.
  • Issuer: The value of the issuer you noted earlier.
  • Authority: The value of the issuer you noted earlier.
  • JWKS URL: The value of the jwks_uri you noted earlier.
  • UserInfo URL: The value of the userinfo_endpoint you noted earlier.

SSO Settings

Select Configure overrides and the Advanced sub-heading.

  • Admin Groups: Enter admins which should match the App Role you created earlier.
  • Scope: openid profile email offline_access <api-scope> where <api-scope> is the scope you created earlier (e.g., api).
  • JWKS Algorithm: RS256
  • UserInfo Provider: token-claims

Advanced SSO Settings Advanced SSO Settings UserInfo Provider

Click Save config. Then deploy the updated configuration.