Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Identity broker

Microsoft Entra ID external IDP

search
printsuggest an editpdf paneldownload

Microsoft Entra ID external IDP

The Microsoft social connection lets users log in to your application using their Microsoft profile.

copy link to clipboardPrerequisites

Before you begin:

copy link to clipboardRegister an application at Microsoft

Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: your app trusts the Microsoft identity platform, and not the other way around. After you create the application, you cannot move the application object between different tenants.

Follow these steps for app registration:

  1. Sign in to the Microsoft Entra admin center using your Azure account, which must be at least a Cloud Application Administrator.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.

  3. Browse to Identity > Applications > App registrations and select New registration.

  4. Enter a display name for your application.

  5. Specify who can use the application, sometimes called its sign-in audience.

  6. Add a redirect URI.

A redirect URI is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.

1. Select a **Platform: Web**.

1. Add your **URI value**, which looks like `https://<tenant-domain>/broker/authentication/callback`.
  1. Select Register to complete the initial app registration.

copy link to clipboardGet a client ID and client secret

When registration finishes, the Microsoft admin center displays the app registration's Overview pane. You see the Application (client) ID. Also called the client ID, this value uniquely identifies your application in the Microsoft identity platform.

Generate a client secret:

  1. Under the Manage menu, go to Certificates & Secrets.

  2. Click New client secret.

  3. Add a description for your client secret.

  4. Select an expiration date for the secret or specify a custom lifetime.

    The client secret lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.

    Microsoft recommends that you set an expiration value of less than 12 months.

  5. Select Add.

  6. Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.

copy link to clipboardGet the OpenID Connect metadata document

  1. Go to Overview - Endpoints and scroll to get to OpenID Connect metadata document.

  2. Copy the configuration's link.

More information about enrollment process you can find here.

copy link to clipboardConfigure Microsoft Entra ID in the identity broker

  1. Click Add identity provider and select OpenID Connect.

  2. Typically, you provide the following information:

    • Display name: Microsoft (for example)
    • Active: Select the check box
    • Client ID: The client ID
    • Authentication method: Client secret post
    • Client secret: The [client secret] (#get-a-client-id-and-client-secret)
    • Well-known configuration endpoint: OpenID Connect metadata document link that you copied
      • This fills the Authorization endpoint, Token endpoint, Issuer, User information endpoint, and JWKs URI.
    • Signature type: Asymmetric
    • Encrypted JWT: Do not select the check box.
    • Single logout: Do not select the check box.

copy link to clipboardVariant

You always need at least one variant. For Microsoft Entra ID, you just need to configure a variant name, such as Authentication. For scopes, Thales recommends openid, and profile, but you can add more scopes.

On this page

  • Configure Microsoft Entra ID in the identity broker