Add Identity Provider

When setting up applications in Microsoft Entra ID, approval may be required due to operator-specific IT guidelines.

Prerequisite

Identity Provider Manager role

Procedure

1. Call up the Access management > Identity provider menu.
2. In the list of identity providers, add a new identity provider with .

   The Add Identity Provider dialog appears with the Add or Import step.

   The following figures show the respective sub-areas of the dialog window.

   

   The Alias is defined when the identity provider is created and can then no longer be changed.

   The Redirect URL is generated by the identity provider and cannot be changed.

3. In the Name text field, enter the display name for the identity provider.

   The display name is displayed on the login page.

4. In the Display Order field, enter the position at which the identity provider is to be displayed on the login page.

   The smaller the number, the higher the identity provider is displayed in the list on the login page (1 = position 1).

   

5. If a well-known endpoint is known for the application, activate the Use Discovery Endpoint function with to import the required information.

   If a Discovery Endpoint is used, the following fields are filled out automatically.

6. In the Authorization URL field, enter the URL to be used for identifying the organization and the user.

   The Authorization URL is provided by the identity provider. Upon login to Nexeed IAS, it forwards the user to the identity provider for authentication and authorization. The Authorization URL confirms the identity of the user and grants the necessary permissions to access Nexeed IAS.

7. In the Token URL field, enter the URL for token-based authentication.

   The Token URL is provided by the identity provider. It connects the identity provider to Nexeed IAS and enables the transfer of authentication and authorization data in the form of access tokens. When a user logs in, Nexeed IAS sends a request to the identity provider to obtain an access token.

8. In the Logout URL field, enter the URL to log out of the identity provider and Nexeed IAS.

   The Logout URL is provided by the identity provider. It forwards the user to the identity provider when logging out of Nexeed IAS. The identity provider performs the logout process and deletes the user's authentication information.

9. In the User Info URL field, enter a URL that provides additional user information.

   The User Info URL is provided by the identity provider. It is used to retrieve additional information about the user (e.g. name and email address).

10. In the Publisher field, enter a URL that identifies the identity provider.

    The URL of the Publisher is provided by the identity provider. This URL uniquely identifies the identity provider as the publisher of the access token and validates it during the login process. This ensures that the access token originates from the identity provider.

11. Use to enable or disable validation of the signatures.

    The Validate Signatures function validates the signature of the access token from the identity provider. This ensures that the token has not been manipulated and that it comes from a trusted publisher.

12. Use to set whether a JWKS URL is to be used.

    The Use JWKS URL function stores the public keys used to validate JSON web tokens. The JWKS URL is a URL that points to a JSON file containing the public keys. The identity provider uses the JWKS URL to obtain the public key and validate the access token.

13. If the JWKS URL function is activated, enter the URL in the JWKS URL field.
14. Use to set whether the Use PKCE function is to be used.

    The PKCE function is an extension of the authorization protocol OAuth 2.0. It is used to ensure that the authorization code is only used by Nexeed IAS.

    

15. Select the authentication type from the Client Authentication drop-down list:
    • Client Secret Sent via Basic Auth

      The client secret is a secret key provided by the identity provider. The client secret is sent as part of the authorization header from the client (Nexeed IAS) to the identity provider for authentication. Sending the client secret to the identity provider as an authorization header prevents the client secret from being visible in the URL string or in other parts of the request.

    • Client Secret Sent via POST (default value when creating an identity provider)

      The client secret is sent as a POST body from the client (Nexeed IAS) to the identity provider for authentication. Sending the client secret to the identity provider as a POST body prevents the client secret from being visible in the URL string or other parts of the request.

    • Client Secret as JWT

      The client secret is sent to the identity provider as a JSON Web Token (JWT). A JWT is a JSON object that contains a digital signature and is used to transfer information between the sender and the recipient. Sending the client secret to the identity provider as a JWT prevents the client secret from being visible in the URL string or in other parts of the request.

    • JWT Signed with Private Key

      Similar to Client Secret as JWT. With this function, the JSON Web Token (JWT) is additionally signed with a private key. Signing the JWT with a private key ensures that the JWT has not been manipulated and that it comes from the sender who signed it.

16. Enter Client ID.

    The Client ID is provided by the identity provider. The Client ID identifies the client. After logging in, the client is authorized to access protected resources.

17. Enter Client Secret.

    The Client Secret is a secret password provided by the identity provider. The Client Secret ensures that only authorized and authenticated applications can access protected resources.

18. Click Next.

    The Configuration step appears.

    

19. Use to select whether a Backchannel Logout is to be used.

    The Backchannel Logout function allows the user to simultaneously log out of all services connected to the identity provider (single logout).

20. Use to select whether the Switch Off User Info function is to be used.

    If this function is disabled, additional information about the user (such as name and email address) can be transmitted.

21. In the Scopes field, enter the Open ID scopes, separated by spaces, for authorization. Default value when creating an identity provider: openid email profile

    Scopes define which information a client (Nexeed IAS) can retrieve from an identity provider. Scopes ensure that only authorized clients with the necessary permissions can access this information.

22. Enter Transferred Query Parameters.

    This function allows you to forward additional parameters to the identity provider. These parameters can be used to perform authentication or to obtain additional information about the user.

23. Select the Procedure for First Login from the drop-down list. Default value when creating an identity provider: first broker login autolink

    This function determines the procedure upon first login with the identity provider. The term "First Login" means that no account is associated with the identity.

24. In the Synchronization Mode drop-down list, specify how the user information is to be synchronized between the identity provider and other systems:
    • Import (default value when creating an identity provider)

      The user information is synchronized once when a user logs in for the first time.

    • Legacy

      Use current settings.

    • Force

      The user information is synchronized upon every login.

25. Click Save.

The settings are applied.