Microsoft Entra OIDC

If your organization uses Microsoft Entra for user authentication, you can configure IQNECT to allow login using Identity Provider (IdP) credentials. IQNECT supports integration with the OpenID Connect (OIDC) protocol and the SAML 2.0 protocol. Both implementations are functionally equivalent when used with IQNECT. The following instructions describe how to configure IQNECT to work using the OIDC protocol using Microsoft Entra as the identity provider (IdP).

Overview

To set up OIDC in Entra, you need to follow these steps. Additional detail is provided below.

  1. Create an Enterprise Application
  2. Complete Basic OIDC Configuration
  3. Complete Attributes and Claims
  4. Assign Users or Groups
  5. Send OIDC Configuration to IQNOX

Required Entra Permissions

You must have at least Cloud Application Administrator privileges in your Microsoft tenant in order to create the Enterprise Application as documented here. You may need to work with your organization's enterprise IT administrator to complete this configuration.

Distinct Environments May Require Distinct Applications

If you have licensed distinct environments for IQNECT and you wish to grant access to each environment independently, you must create a distinct enterprise application for each environment.

Step 1: Create a Microsoft Entra ID Enterprise application​

To create a Microsoft Entra ID Enterprise application, follow the steps in Azure's documentation.

  1. In the Microsoft Entra ID portal, add a new Enterprise application.
  2. IQNECT is not listed in the Microsoft Entra ID Gallery, so select Create your own application.
  3. Name the application. This should be unique within your tenant and must align with your environment configuration. If you only have one environment, use https://api.iqnect.ai ; if you have more than one environment, append the name of the environment to the end, like this: https://api.iqnect.ai/prod .
  4. Select Register an application to integrate with Microsoft Entra ID (the App you're developing).
  5. Under Supported account types, select Accounts in this organizational directory only (Default Directory Only - Single tenant).
  6. Under Redirect URI, select Web. Enter https://api.iqnect.ai/sso/callback/oidc   under the path. This specifies the path where Microsoft Entra ID redirects users after they complete authentication.

Step 2: Configure secrets​

  1. In the settings for the enterprise application, select the Single Sign-On menu. Select the App registrations experience.
  2. Select the Certifications & secrets menu. Add a new client secret and set an expiration period. You must update your IQNECT deployment when the secret expires, so you should set the maximum allowable period to 24 months.
  3. Save this secret for use in a later step.

Step 3: Configure claims​

  1. In the Azure app registration experience, select the Token configuration menu.
  2. Select Add optional claim for the ID token. Configure mappings to account for the attributes required in Introduction. The following claims should be mapped into: displayName , email,  and identifier .
  3. When you save the claims, turn on the Microsoft Graph email, profile permissions.

Step 4: Assign Users or Groups to IQNECT

Step 5: Send OIDC Information to IQNOX

  1. In the Azure app registration experience, select the Overview menu and select Endpoints.
  2. The following information needs to get to IQNOX so the tenant SSO to be configured:
    • Application credentials
      • Application (client) ID
      • Application (client) secret
    • URLs:
      • OAuth 2.0 authorization endpoint (v2)
      • OAuth 2.0 token endpoint (v2)
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us