Example of an identity provider configuration for Microsoft Entra ID

The following example shows the configuration of an identity provider with Microsoft Entra ID. The illustrations of Microsoft Entra ID correspond to the software version when this user guide was created.

Prerequisite

Identity Provider Manager and Group Mapper Manager role

Procedure

1. Open external software Microsoft Azure .
2. Click on Microsoft Entra ID .

   

   The Azure Active Directory overview is displayed.

3. In the selection list + Add , click on App Registration .

   A new application is created and opened.

   

4. Enter theDisplay name and select Supported account types .

   

5. Click on Register.
6. In the Certificates & secrets area, click + New secret client .

   

7. Define the Description and period of validity .
8. Click Add .
9. Copy the value of the client secret key and save it locally on the computer.

   The client secret key can only be copied once at this time. Subsequent copying is no longer possible.

   

10. In the Token Configuration area, click on + Add Optional Claim .

    

11. Select the token type .
12. If the user info endpoint does not meet the requirements: select family_name and given_name .
13. Select login_hint to avoid problems during logout due to excessively large tokens.
14. Click Add .
15. Note: Ignore Add optional claim while saving and click on Add.

    OpenID Connect is configured by default with Nexeed Multitenant Access Control.

    

16. Switch to the Overview area.

    

17. Copy the Application ID (Client) and save it locally on the computer.
18. Switch to the End points tab.
19. Copy theOpenID Connect Metadata Document and save it locally on the computer.
20. In the Nexeed Multitenant Access Control module, call up the Access management > Identity provider menu.
21. Add the identity provider (Add Identity Provider).
22. Enter Alias and Name.

    

23. Activate the Use Discovery End Point switch.

    

24. In the Discovery Endpoint text field, insert the previously copied OpenID Connect metadata document.
25. In the selection list Client Authentication: Select Client Secret via POST sent.

    

26. In the Client ID field, insert the previously copied Application ID (Client).
27. In the Client Secret field, insert the previously saved client secret key value.
28. To add groups to a token, in the Token configuration area click on + Add group claim .

    

29. Set the group type for the group claim .

    Select groups/roles that should be part of the tokens issued during login.

    The selection of Groups assigned to the application assumes that relevant groups are explicitly assigned to the application and the consequence of this is that the group hierarchy cannot be used.

    If the application is not subsequently given the necessary permissions for Microsoft Graph, do not add all existing groups to a token. Otherwise, once 200 or more groups are assigned to the user, they will not all be available.

    Do not add all existing groups to a token without configuring the login_hint claim. A large token with more than 10 kB can otherwise lead to problems during logout.

30. Set token property (example: Group ID).

    You can send either the Group ID or SAML in a token. The extended entitlement to group assignment must be used accordingly.

31. Click Add.
32. To assign application permissions to evaluate group membership and hierarchies, click on + Add a permission in the API permissions area and then select the Microsoft Graph API under Microsoft APIs.

    

33. Select Delegated Permissions User.Read and GroupMember.ReadAll and click on Add Permissions. It is recommended to grant administrator approval, otherwise a user will have to request this during the login process.
34. To manage the application, click on the application in the overview .

    

35. When selecting Groups assigned to the application for the group claim:
    • in the Users and groups area, click on + Add user/group .

      

    • Click on None selected .

      

    • Search for group names and use checkboxes to assign the desired groups to the application.
    • Click Select .
    • Click Assign .

      

      The group is assigned to the application.

    • In the Users and groups area, click the newly assigned group .

      I

36. Search for the group and copy the Object ID of the group to the clipboard (if tokens have been configured with samAccountName, use this instead).

    

37. In the Nexeed Multitenant Access Control module, open the Access Management > Identity Provider menu.
38. Open Add Mapper and enter the previously copied Object ID of the group in the Claim Value text field.

    

39. Select Force Sync Mode from the drop-down list.

    This ensures that the claim is checked each time the token is logged in and the assignment to the mapped group is executed again and updated.

40. Make sure that Claim Name groups is entered in the text field.
41. Click Save.

All users assigned to the user group stored with the identity provider can log in to Nexeed Industrial Application Systems centrally via the identity provider.