Entra ID | OIDC

Owned by Ole Kristian Aune (Unlicensed)
Last updated: Nov 15, 2024 by Steinar Line
4 min read

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This value can be changed later.

image-20240105-134225.png

 

 

2. Redirect Mode

Select how the user will be redirected to the identity provider. You may configure more redirect modes after completing the setup.

3. Prepare IDP

In this step, we will configure Entra ID to work with Kantega SSO. For this, you will need to copy the Callback URL provided. We will use this when setting up Entra ID.

 

 

Configure Microsoft Entra ID

external

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up OIDC.

Sign in to the Azure Portal, navigate to Microsoft Entra ID > App registrations

Press New registration

Fill out the Name field. Here you can specify any value, e.g., "Jira" or "Confluence."

The Redirect URL consists of two fields. Select "Web" in the left drop-down field and paste in the Callback URL from Kantega SSO in the right field.

Click the Register button in the bottom left of the page and wait a few seconds until the registration is finished.

 

Copy the Directory (tenant) ID, Application ID. The values will be inserted later into the Kantega SSO setup wizard.

Go to Certificates & secrets (open tab Manage in left menu) and create a New client secret. Set as long expiry as your policy accepts. Copy the Client secret: Value (not the Secret ID!). The client secret will be inserted later into the Kantega SSO setup wizard.

 

Go back to the Kantega SSO setup wizard setup wizard step Metadata..

4. Metadata

In the Metadata step, paste the Directory (tenant) ID from clipboard into Tenant ID. The IDP Discovery URL is generated from default URL and tenant ID. Custom URL’s can also be inserted here.

 

5. Scopes

These are the scopes we were able to fetch from the metadata. You can add scope values from a list, start typing to add your own or unselect them. A minimum of one scope value is required.

6. Credentials

In this step, you need to insert client credentials from Entra ID. Paste the Application (client) ID and the Client secret value you copied from Entra ID into the respective fields.

7. Token configuration

You might want to configure some more claims for your ID tokens sent from Entra ID. If you want to test the default setup, simply skip this step.
One claim that might not come by default in your tenant is the email claim, which is a required attribute to create a user in Jira with Just-in-time user provisioning. To add the email claim, navigate to Token Configuration in your App Registration > Add Optional Claim. Select ID, and check the email claim checkbox:

 

8. Summary

Check that everything looks good and submit your setup

Test

Test that logging in with Entra ID works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.

 

During the first login on an App Registration, you will be prompted to give consent for the integrated Atlassian application to read user data. If your organization has activated that admin consent is required for logins, your Azure AD administrator will have to consent on behalf of the organization, under App Registrations > your app > API permissions:

Optional: Get group claims for user

Follow this guide to get group claims for user in the OIDC login:

https://kantega-sso.atlassian.net/wiki/x/K4FCEg

Optional: Get sAMAccountName from OIDC login

This may be done in the exact same way as described for SAML here:

Entra ID | SAML | Optional: Get sAMAccountName from SAML login