Universal Policy Administrator Documentation
< All Topics
Print

Configuring OIDC Authentication with Microsoft Entra ID

  1. Install the UPA Gatekeeper/Gateway.
  2. Create and configure UPA as an enterprise application in your Microsoft Entra ID tenant:
    1. Sign in to the Microsoft Entra admin center:
      1. From the left navigation pane, select Enterprise apps > All applications
      2. Select New application
      3. On the Browse Microsoft Entra Gallery page, select Create your own application
      4. Enter a name for your application. For example, ‘UPA_OIDC’
      5. Select Integrate any other application you don’t find in the gallery (Nongallery)
      6. Click Create
    2. Assign Users and Groups:
      1. On your application’s Overview page, select Assign users and groups from the Identity menu or the Getting Started area
      2. Select Add user /group on the Users and groups page
      3. On the Users and groups tab of the Add Assignment page, select one or more Users and Groups check boxes
      4. Click Select
      5. On the Select a role tab of the Add Assignment page, select a role
      6. Click Select
      7. Click Assign
      8. (Optional) On the Users and groups page, select a User or Group
        1. (Optional) Select Edit Assignment to assign a different role
        2. (Optional) Select Remove Assignment to remove assigned users and groups
    3. Configure Application Authentication:
      1. Navigate to the Microsoft Entra admin center
      2. From the left navigation pane, select App registrations > All applications
      3. Select your application created in a previous step and make a note of the following values:
        1. Application (client) ID
        2. Directory (tenant) ID
        3. Click Endpoints and copy the OpenID Connect metadata document URL
      4. Select Authentication, from the Manage area
      5. Select Add a Platform
      6. Select Web from the Configure platforms area
        1. Enter the Redirect URI in format: https://<gatekeeper>/Portal/SSO/OIDC>
        2. Click Configure
      7. Enter the Front Channel Logout URL in format: https://<gatekeeper>/Portal/SSO/Logout>
      8. Select the ID tokens checkbox
      9. Click Save
    4. Configure UPA to use OIDC authentication.
      1. In the Full Armor UPA Owner Portal (https://<gatekeeper>/portal/account), select SSO
      2. Click Add OIDC Provider to launch the Edit OIDC Configuration page and complete the following steps
        1. Enter the identify provider as the Provider Name
        2. Select the Set as Default Login Provider check box
        3. In the Provisioning Mode list, click AutomaticProvisioning
        4. Click Configure Provisioning to launch the Provisioning Settings page
          1. View the Provider Name
          2. View the Provisioning Mode
          3. Click Get SCIM Token
        5. Click Configure Claims Mappings to launch the Claims Mappings page:
          1. In the Match login claims to users using this property list, click EmailAddress
          2. Enter preferred_username as the Unique ID
          3. Enter preferred_username as the Username
          4. Enter name as the Display Name
          5. Enter email as the Email Address
          6. You might leave Groups blank
          7. You might leave Domain\username blank
          8. You might leave SID blank
          9. You might leave IP Address blank
          10. Click Save
        6. Enter the OpenID Connect metadata document URL noted in a previous step
        7. Enter the Client ID noted in a previous step
        8. In the Match on Property list, click EmailAddress
        9. Enter tenancyId as Parameter 1 Name
        10. Enter directory (tenant) Id as Parameter 1 Value
        11. Enter scope as Parameter 2 Name
        12. Enter openid email as Parameter 2 Value
        13. Click Save Changes
  3. Configure SCIM provisioning in the Microsoft Entra admin center:
    1. Navigate to the Microsoft Entra admin center
    2. From the left navigation pane, go to Enterprise apps
    3. On your application’s Overview page, select Provisioning
    4. On your application’s Provisioning page, select Provisioning again
      1. In the Provisioning Mode list, click Automatic
      2. In the Admin Credentials section:
        1. Enter the Tenant URL of the SCIM endpoint https://<gatekeeper>/api/scim>
        2. Paste the Secret Token retrieved in a previous step
        3. Click Test Connection to verify
      3. In the Settings section:
        1. Select to Send an email notification when a failure occurs Notification Email
        2. Select to Prevent accidental deletion Accidental deletion threshold
    5. Click Save
    6. Click Start Provisioning and allow time for the initial provisioning cycle to complete
    7. Check the provisioning status in the Microsoft Entra admin center
  4. Assign UPA Global Administrator role:
    1. On the UPA Owner Portal, click the SSO tab when provisioning is complete
    2. Select the List Users button for the OIDC provider
      • Confirm that the users/ groups are imported correctly
    3. Select the user to grant global administrator permissions
    4. Click Set User as Global Admin

For more information, see Add an OpenID Connect-based single sign-on application in Microsoft Entra ID.

In This Article