Microsoft Entra ID (Azure AD) SSO Integration
01/22/2025
Overview
You can connect your Microsoft Entra ID to Cisco Identity Intelligence (CII) to enable SSO to your organization. Enable and control your organization members access to the CII platform easily, by following this guide to setting up CII as an app in your Microsoft Entra ID console.
Types of SSO Integrations Available
CII supports two methods of SSO integration with Microsoft Entra ID:
OIDC - this method provides a fast and simple App Registration flow for SSO to your CII tenant. Note that full RBAC group management within the CII tenant is not supported with Entra ID OIDC.
SAML - a SAML integration with CII for sign-on provides the ability to enable
RBAC groups
for full admin, help desk, and read-only roles. NOTE - the current cross-tenant integration with Duo Security and CII does NOT support the in-product provisioning of SAML authentication for your CII tenant. Use the OIDC SSO Method or contact your Duo / CII representative to discuss setting up SAML authentication with Microsoft.
This article provides instructions for both methods. In many cases, an CII tenant may start with OIDC-based SSO and migrate to SAML SSO to enable RBAC functionality, as mentioned above.
Prerequisites
To add the necessary configuration in Microsoft Entra ID you need:
Microsoft Entra ID - Global Administrator or Service Administrator role https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
Microsoft Entra ID Subscription - Owner role https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
Microsoft Entra ID resource provider enabled. In most existing tenants, this is already done, but if not, please see Appendix: Enable Azure AD resource provider
OIDC SSO Method
Set up and configure Oort App Registration in Microsoft Entra ID
You will need to create the app registration in your Entra ID tenant, assign the correct permissions, and add an API secret.
Add an app in your Microsoft Entra ID tenant
Go to Microsoft Entra ID → App registrations
Click on New registration
Fill in the details for the new app
Enter an app Name
In “Who can use this application or access this API?” Select: Accounts in this organizational directory only (<tenant name> – Single tenant)
In “Redirect URI”:
select Platform: Web
Enter the redirect URI: US production tenants: https://login.oort.io/login/callback EU production tenants: https://login.eu.oort.io/login/callback AU production tenants: https://login.au.oort.io/login/callback JP production tenants: https://login.jp.oort.io/login/callback UK production tenants: https://login.uk.oort.io/login/callback Canada production tenants: https://login.ca.oort.io/login/callback Singapore production tenants: https://login.sg.oort.io/login/callback
Click on Register
Copy and save the Application ID and save it for later use.
From the Entra ID overview page, copy the Tenant ID. The Entra ID OIDC Discovery URL takes the form of: https://login.microsoftonline.com/TENANT/v2.0/.well-known/openid-configuration where
TENANT
is your Tenant ID.
Add API Permissions
Go to API Permissions under your newly created Oort Integration app
Click on Add a permission
Click on Microsoft Graph
Click on Application Permissions
Search for “Directory.Read.All”
Check the box next to Directory.Read.All
Search for “User.Read.All”
Check the box next to “User.Read.All”
Once added to the list, click Add Permissions
Click on Grant admin consent for <tenant name>
Click Yes to accept admin consent.
Create API secret
Go to Certificates & Secrets under your Oort Integration app
Click on New client secret
Fill in the details for the secret and click Add
Save the Secret Value
Click the copy icon to copy and save it somewhere
Important: Once you leave this page you WILL NOT be able to get the key again and will have to delete and create a new one.
Enter SSO App Information in the Duo Admin Panel
If using Duo Security to provision your tenant from the Duo admin panel, continue the configuration in that console using the app ID, tenant ID, and app secret according to https://duo.com/docs/identity-security#provision-your-cisco-identity-intelligence-tenant.
IMPORTANT: Provision the Entra App to Users
We strongly recommends you do two things in the Enterprise App object that was created in parallel to the new SSO app registration:
Set assignment required to YES (the default is NO, making the app open to all tenant end users)
Set app visible to YES, so that they have quick access to the CII console from their Entra ID My Apps page.
Instructions
Navigate Enterprise Applications
Find the CII SSO app in the list and click it.
In the app’s page, click Properties in the Menu
Select Yes for Assignment required and for Visible to users
Click Save
Navigate to the Users and Groups tab of the enterprise app. Assign the appropriate individual users and/or groups that should have access. (Group usage is recommended)
SAML SSO Method
This method uses SAML, which enables the provider (Microsoft Entra ID) to pass group information that will be used in the Role-based Access (RBAC) and Tenant Access Logs configuration for your tenant.
NOTE FOR DUO CUSTOMERS - the current cross-tenant integration with Duo Security and CII does NOT support the in-product provisioning of SAML authentication for your CII tenant. Use the OIDC SSO Method or contact your Duo / CII representative to discuss setting up SAML authentication with Microsoft.
Create a New SAML SSO App
Within Microsoft Entra ID Enterprise Apps blade, click Create your own application and provide a name as shown. Then click Create and the bottom of the slide-out.
From this page, click Set up single sign on
Click SAML
Click the Edit button for the Basic SAML Configuration section
At this point, the values entered will differ depending on the deployment location of your CII tenant, such as US, EU, AU, CA, UK, SG or JP environments. Please discuss with your Cisco technical representative to ensure the right configuration. US Production Identifier (Entity ID): urn:auth0:oort:<companyname>-saml Production Reply URL: https://login.oort.io/login/callback EU Identifier (Entity ID): urn:auth0:oort-eu:<companyname>-saml Production Reply URL: https://login.eu.oort.io/login/callback AU Identifier (Entity ID): urn:auth0:oort-au:<companyname>-saml Production Reply URL: https://login.au.oort.io/login/callback JP Identifier (Entity ID): urn:auth0:oort-jp:<companyname>-saml Production Reply URL: https://login.jp.oort.io/login/callback UK Identifier (Entity ID): urn:auth0:oort-jp:<companyname>-saml Production Reply URL: https://login.uk.oort.io/login/callback CA Identifier (Entity ID): urn:auth0:oort-jp:<companyname>-saml Production Reply URL: https://login.ca.oort.io/login/callback SG Identifier (Entity ID): urn:auth0:oort-jp:<companyname>-saml Production Reply URL: https://login.sg.oort.io/login/callback
Save the config.
Click Edit for section 2 - Attributes & Claims
Click Add new claim
Configure the claim as shown below: Name: groups Namespace: http://oort.io In the Claim conditions section, add a row for each RBAC of the three groups that you've created for Oort roles in your Microsoft Entra ID tenant. If you haven't created them yet, do that now and populate them with the appropriate users. User type: Any Scoped group: Select one for each row Source: Transformation Values: Transformation: IfNotEmpty() Attribute name (Input): user.userprincipalname Attribute name (Output): <name of group specified for this condition, case sensitive>
Click enter and then save this configuration after adding a row for all three groups.
In section 3, Download the Base64 Certificate
Provide both the downloaded certificate and the URL to your Oort representative.
See the section #make-the-azure-app-visible-to-end-users
Appendix: Enable Microsoft Entra ID resource provider
Enable AzureAD resource provider under your license.
Go to Home → Subscriptions
Click your subscription (the relevant subscription)
Click Resource Providers in the menu
Search for Microsoft.AzureActiveDirectory and select it.
If the Status says NotRegistered
Click on the Register button to register the Microsoft AzureAD resource provider.
Last updated