Single Sign-On with Microsoft Entra ID

Create an application registration in Microsoft Entra ID by navigating to App registrations, clicking New registration, providing an application name, and clicking Register.

Add a client secret to the application by navigating to Certificates & secrets, clicking New client secret, providing a description and expiration, and clicking Add.

Copy and securely store the client secret value.

The client secret value is displayed only once and is required later during CCC SSO configuration.

Create application roles for CCC by navigating to App roles and creating the ccc_admin (CCC admin role) and ccc_user (CCC application owner role) roles.

Create a directory extension schema for organization mapping by using the Microsoft Graph API to define a schema named ccc_organization with data type String, targeting User objects.

Grant the required Microsoft Graph permissions by ensuring admin consent is granted for Application.ReadWrite.All and User.ReadWrite.All.

Confirm that the directory schema extension is created with an ID in the format extension_<ApplicationClientId>_ccc_organization.

Add the directory extension schema to the SSO token by navigating to the application’s Enterprise application, opening Single sign-on, editing Attributes & claims, and adding a new claim using the directory schema extension created earlier.

Save the claim configuration.

Locate the OpenID Connect Discovery URL by navigating to App registrations > Overview > Endpoints and copying the OpenID Connect metadata document URL.

Log in to CCC using an admin account.

Navigate to Administration > Single Sign-On > Add SSO.

Enter the required SSO configuration values, including the SSO Display Name, Alias, Discovery URL (OpenID Connect metadata document URL from Microsoft Entra ID), Client ID, Client Secret, Role Claim Name (roles), and Organization Claim Name (ccc_organization).

After entering the Discovery URL, click Connect to validate the configuration and fetch endpoint details.

Click Add SSO to save and activate the configuration.

Verify the SSO setup by confirming that the SSO entry appears in the SSO list and a new Microsoft Entra login option appears on the CCC login screen.

Copy the generated sign-in redirect URL from CCC.

Assign application roles to users by navigating to Enterprise applications, selecting the CCC application, opening Users and groups, adding a user, and assigning either the ccc_admin or ccc_user role.

If a user is assigned the ccc_admin role, no organization value is required.

If a user is assigned the ccc_user role, an organization value must be assigned.

Assign the organization value to users by using the Microsoft Graph API to set a value for the directory schema extension attribute on the user.

Obtain an access token using the client credentials grant.

curl -X POST https://login.microsoftonline.com/<DirectoryTenantId>/oauth2/v2.0/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=<ApplicationClientId>" \
  -d "scope=https://graph.microsoft.com/.default" \
  -d "client_secret=<ClientSecret>" \
  -d "grant_type=client_credentials"