Microsoft Entra ID (Azure AD) SSO Integration
7/2023
You can connect your Microsoft Entra ID to Oort to enable SSO to your organization. Enable and control your organization members access to Oort’s platform easily, by following this guide to setting up Oort as an app in your Microsoft Entra ID console.
Oort supports two methods of SSO integration with Microsoft Entra ID:
- 1.OIDC - this method provides a fast and simple App Registration flow for SSO to your Oort tenant. It is useful for preview or test Oort tenants ("Staging" environment) or in scenarios where full RBAC group management and access to the Oort tenant is not required.
- 2.SAML - a SAML integration with Oort for sign-on provides the ability to enable
RBAC groupsfor full admin, help desk, and read-only roles.
This article provides instructions for both methods. In many cases, an Oort tenant may start with OIDC-based SSO and migrate to SAML SSO to enable RBAC functionality, as mentioned above.
To add the necessary configuration in Microsoft Entra ID you need:
- Microsoft Entra ID - Global Administrator or Service Administrator role https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
- Microsoft Entra ID Subscription - Owner role https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
- Microsoft Entra ID resource provider enabled. In most existing tenants, this is already done, but if not, please see Appendix: Enable Azure AD resource provider
You will need to create the app registration in your Entra ID tenant, assign the correct permissions, and add an API secret.
- 1.Go to Microsoft Entra ID → App registrations
- 2.Click on New registration
- 3.Fill in the details for the new app
- Enter an app Name
- In “Who can use this application or access this API?” Select: Accounts in this organizational directory only (<tenant name> – Single tenant)
- In “Redirect URI”:
- select Platform: Web
- Enter the redirect URI: For Oort staging tenants: https://login.stage.oort.io/login/callback For Oort production tenants: https://login.oort.io/login/callback Note - If you are unsure if your Oort tenant is located in staging or production, please contact Oort Support or Customer Success.
- 3.Click on Register
- 5.Copy and save the Application ID. You will later send it to Oort’s support team.
Add API Permissions
- 1.Go to API Permissions under your newly created Oort Integration app
- 2.Click on Add a permission
- 3.Click on Microsoft Graph
- 4.Click on Application Permissions
- 5.Search for “Directory.Read.All”
- 6.Check the box next to Directory.Read.All
- 7.Search for “User.Read.All”
- 8.Check the box next to “User.Read.All”
- 9.Once added to the list, click Add Permissions
- 10.Click on Grant admin consent for <tenant name>
- 11.Click Yes to accept admin consent.
Create API secret
- 1.Go to Certificates & Secrets under your Oort Integration app
- 2.Click on New client secret
- 3.Fill in the details for the secret and click Add
- 4.Save the Secret Value
- Click the copy icon to copy and save it somewhere
- Important: Once you leave this page you WILL NOT be able to get the key again and will have to delete and create a new one.
As part of this process, Oort Customer Success or Support team will guide you in securely transmitting the App Registration data below so that the configurations can be finished on the Oort authentication platform.
- Client ID
- API Secret
- Azure tenant external FQDN or primary domain (e.g. company.com or company.onmicrosoft.com)
Oort strongly recommends you make the Azure SSO app visible to your Oort users, so that they have quick access to the Oort console from their Azure My Apps page.
- 1.Navigate Enterprise Applications
- 2.Find Oort's SSO app in the list and click it.
- 3.In the app’s page, click Properties in the Menu
- 4.Select Yes for Assignment required and for Visible to users
- 5.Click Save
This method uses SAML, which enables the provider (Microsoft Entra ID) to pass group information that will be used in the Role-based Access (RBAC) and Reviewing Access Logs configuration for your tenant.
- 1.Within Microsoft Entra ID Enterprise Apps blade, click Create your own application and provide a name as shown. Then click Create and the bottom of the slide-out.
- 2.From this page, click Set up single sign on
- 3.Click SAML
- 4.Click the Edit button for the Basic SAML Configuration section
- 5.At this point, the values entered will differ whether your tenant is in Oort Staging or Production environments. Please discuss with your Oort representative to ensure the right configuration. Production Identifier (Entity ID): urn:auth0:oort:<companyname>-saml Production Reply URL: https://login.oort.io/login/callback Staging Identifier (Entity ID): urn:auth0:oort-staging:<companyname>-saml Production Reply URL: https://login.stage.oort.io/login/callback
- 6.Save the config.
- 7.Click Edit for section 2 - Attributes & Claims
- 8.Click Add new claim
- 9.Configure the claim as shown below: Name: groups Namespace: http://oort.io In the Claim conditions section, add a row for each RBAC of the three groups that you've created for Oort roles in your Microsoft Entra ID tenant. If you haven't created them yet, do that now and populate them with the appropriate users. User type: Any Scoped group: Select one for each row Source: Transformation Values: Transformation: IfNotEmpty() Attribute name (Input): user.userprincipalname Attribute name (Output): <name of group specified for this condition, case sensitive>
- 10.Click enter and then save this configuration after adding a row for all three groups.
- 11.In section 3, Download the Base64 Certificate
- 12.In section 4, copy the Login URL value.
- 13.Provide both the downloaded certificate and the URL to your Oort representative.
- 14.
Enable AzureAD resource provider under your license.
- 1.Go to Home → Subscriptions
- 2.Click your subscription (the relevant subscription)
- 3.Click Resource Providers in the menu
- 4.Search for Microsoft.AzureActiveDirectory and select it.
- 5.If the Status says NotRegistered
- 6.Click on the Register button to register the Microsoft AzureAD resource provider.
