Skip to main content

Microsoft Entra SSO

iceDQ can be integrated with Microsoft Entra (formerly Azure AD) as an Identity Provider (IdP) using the OpenID Connect (OIDC) protocol. This allows users to log in to iceDQ using their Microsoft Entra credentials and enable single sign-on.

1. Register an App in Microsoft Entra

  1. Log in to the Microsoft Azure Portal with admin credentials.
  2. Navigate to Microsoft Entra ID.
  3. Click + Add > App registration.
  4. Provide an Application Name (e.g., "Azure SSO for iceDQ").
  5. Set Supported Account Types to Single Tenant.
  6. Configure Redirect URI:
    • Set Type to Web.
    • Set Value to: https://<base-url>/auth/realms/iam.icedq/broker/<idp-alias>/endpoint. Replace <idp-alias> with a unique identifier.
  7. Click Register.
Important

Please remember the idp-alias, as you will need to use the same name when creating the identity provider entry in iceDQ.

Register App In Entra

2. Configure App Authentication

  1. Navigate to Authentication.
  2. Add the URI as Web and enter Redirect URI.
  3. Check ID Tokens.
  4. Select Single Tenant as the Supported Account Type.
  5. Click Save.

Configure Redirect URLs

3. Configure API Permissions

  1. Go to API Permissions.
  2. Click Add a permission.
  3. Select Microsoft Graph.
  4. Choose Delegated Permissions.
  5. Select the following permissions:
    • OpenID Permissions: email, profile
    • User: User.Read
  6. Click Add Permissions.
  7. Click Grant admin consent for your organization.
  8. Click Yes.

Configure API Permissions

4. Retrieve Required Parameters

  1. Navigate to the Overview section of the registered app.
  2. Click Endpoints and note down the following:
    • Client ID
    • OpenID Connect metadata document URL
  3. Past OpenID metadata URL in a browser and note down the following:
    • Token URL
    • Issuer
    • User Info URL
    • Authorization URL
    • End Session URL
  4. Navigate to Certificates & Secrets.
  5. Click New Client Secret, create a secret, and note it down.

Metadata &amp; Secret

5. Configure Microsoft Entra as IDP

  1. Log in to iceDQ as an admin. Navigate to Administration > Security > Single Sign-On.
  2. Click New Identity Provider.
  3. Ensure the Redirect URI matches the one in Microsoft Entra.
  4. Enter Alias & Name:
    • Alias: Same <idp-alias> used during app registration.
    • Display Name: Friendly name for users.
  5. Enter OpenID Settings
    • Uncheck Use Discovery Endpoint
    • Authorization URL (from Retrieve Required Parameters Step).
    • Token URL.
    • Logout URL.
    • User Info URL.
    • Issuer.
    • Client ID.
    • Client Secret.
  6. Click Save.

Configure IDP

6. Login using Microsoft Entra

  1. Open iceDQ in a browser.
  2. Click Sign In with 'IDP'.
  3. Enter Microsoft Entra credentials.
  4. After authentication, access iceDQ.

Video Guide

This video shows how to login using Microsoft Entra.

Optional: Assign Users or Groups

If you would like to restrict the SSO to specific number of users or groups then follow below steps in Microsoft Entra.

  1. Go to Enterprise Applications. >> Search and select the registered app.
  2. Under Manage, click Properties.
  3. Set Assignment Required to Yes.
  4. Click Save.
  5. Navigate to Users and Groups under Manage.
  6. Click + Add user/group. >> Select a user or group, then click Assign.

Assign Users

Last updated on