Skip to main content

Microsoft Entra ID

Setting up Microsoft Entra ID (formerly Azure AD) with the piplanning.io via SSO. Topics: Entra Groups, OIDC connection and FAQ.

Updated over a week ago

It is possible to set up Microsoft Entra ID as an OpenID Connect (OIDC) provider with piplanning.io. With this setup, the existing Microsoft Entra ID users can login and authenticate to piplanning.io via SSO.

The generic instructions are also available from Microsoft here.

Setting up Microsoft Entra ID

  1. Go to the Azure portal: https://portal.azure.com/#home

  2. Select Microsoft Entra ID in the menu.

    Microsoft Azure Portal - navigate to Microsoft Entra ID.

  3. Navigate to Manage > App registrations menu option and click on +New registration button.

    Entra ID App registrations page. Click New registration button.

  4. Insert the name of the application (e.g. piplanning app) and complete the following settings:

    1. Please note: for the Supported account types radio button selection, depending on how Microsoft Entra ID is configured in your environment and depending on which users you want to give access to piplanning.io, you might have to select a different radio button option in the Supported account types section. If the SSO login does not work for some users, come back to this setting and try changing this configuration option.

    2. Add the Callback URL into the Redirect URI (optional) field. The Callback URL can be found in the RTE Cockpit > SSO > OpenID Connect page. Important: Choose Web as the platform type.

      Register a new Entra ID Application.


      *Note: The Callback URL can be found on the OpenID Connect page in the RTE Cockpit.

      The OpenID Connect page in the RTE Cockpit SSO setup.

  5. Check that the permissions are correct. You need the Microsoft Graph User.Read permissions to be able to login successfully.

    Note: If you want to map Microsoft Entra ID Groups to piplanning.io Teams automatically, you need to add Microsoft Graph Group.Read.All permissions as well.

    Permissions to Read Entra ID Users and Groups.

  6. Next is the creation of a Client Secret. This can be done by going in the Manage > Certificates & Secrets in the left navigation (or click the Add certificate or secret hyperlink under Essentials in the right pane), then click on +New client secret button.

    Entra ID > Manage > Certificates & secrets. Create a New client secret button.

  7. The secret can now be copied* to your clipboard and saved. This information is needed in piplanning.io > RTE Cockpit > SSO > OIDC setup later to complete the Identity Provider setup.

    Important: Client Secret Value can only be viewed once, immediately after creation. It is important you copy this value to be used in the setup in the RTE Cockpit.

    Entra ID App Client secrets. Copy the values for use in the SSO setup.

Setting up the SSO > OIDC connection in piplanning.io

To configure piplanning.io with Entra ID using the OpenID Connection protocol, do the following:

  1. Login to the RTE Cockpit and click on the SSO menu.

  2. Click the button Setup OpenID Connect button.

    RTE Cockpit > SSO > Setup OpenID Connect > OpenID Connect setup

  3. Enter a Connection name of your choice. Note: The Connection name value will appear as the label on the login button for your users. (e.g. "Entra ID Login")

  4. Ensure the checkbox Automatically discover endpoints remains checked.

  5. Enter into the Issuer field the following URL:

    1. https://login.microsoftonline.com/{tenantId}/v2.0

    2. The {tenant ID} must be substituted with the value found on the Microsoft Entra ID application registration overview as Directory (tenant) ID:

    Entra ID > Application Overview page with {tenant} and {client} IDs.

    Note: Depending on your configuration, you might have to use the older version of the API. If login doesn't work with your setup, try to remove /v2.0 from the Issuer URL: ​https://login.microsoftonline.com/{tenantId}

  6. Fill in the Client ID that you also find in the Microsoft Entra ID > Application Overview > Essentials tab, it is the Application (client) ID

  7. Fill in the Client secret from the value you previously generated under "Certificates & Secrets". This value was hopefully saved to your clipboard previously.

  8. Enter the Scope field with the following values: openid email profile

  9. At this point the form should be complete, and the connection should be saved by clicking Save.

    Screenshot of the OpenID Connect configuration for Microsoft Entra ID.

The piplanning.io login screen will now add the button for SSO via Microsoft Entra ID.

piplanning.io Login Page with Entra ID SSO setup with the ODIC protocol.

Mapping Entra Groups to piplanning.io Teams

In order to set up Group Mapping for Microsoft Entra ID to piplanning.io Teams you need to execute the following steps:

  1. Navigate to Microsoft Entra ID > App registrations > (Entra App Name) > Token configuration option.

    Navigate to Token configuration menu in the Entra ID App.

  2. Click on Add group claim and select the checkbox Groups assigned to the application (recommended for large enterprise companies to avoid exceeding limit on the number of groups a token can emit) option. Click Add.

    Edit group claim in the Entra ID App.

  3. Navigate to Microsoft Entra ID > App registrations > (Entra App Name). Click on the application Display name hyperlink, in this example piplanning.io.

    Navigate to the App registrations. Click on the App created and select Manifest.

    1. Click on Manifest option in the left menu navigation.

    2. Find optionalClaims and modify the idToken property to include cloud_displayname under additionalProperties. See the screenshot below for the correct syntax.

    3. Click Save.

      Entra ID > App registration > Manage > Manifest > Edit idToken > additionalProperties.

  4. Navigate to Microsoft Entra ID > Enterprise applications > (Entra App Name) > Users and groups.

    1. Click on the Add user/group button and select all groups you want to map to the piplanning.io Teams.

  5. Navigate back to the RTE Cockpit, navigate to Organizations > Teams and select a piplanning.io Team you want to map to the respective Microsoft Entra ID group.

    1. Click Edit Team button and select the OpenID Connect Group tab at the bottom. Fill in the Group name field.

    2. Click Save.

      RTE Cockpit > Organization > Team > Edit > OpenID Connect Group tab.

    Configuration complete. Now you can test the SSO set up via the OIDC connection to Microsoft Entra ID Groups.

    NOTE: If Group mapping does not work as expected, in Entra ID try to edit the Groups Claim in the Token configuration. Click Edit Groups Claim, select ID in Customize token properties by type and select sAMAAccountName. Click Save. After that perform the steps from step #4 again.

Entra ID edit Group Claims to select sAMAAccountName.

FAQ

Q: During login, I get the error: A request to the OpenID Connect Token API has failed. Unable to complete this login request" [Backend error: AADSTS700025 - invalid_client]


A: Make sure you have selected Web (instead of single page application) for the redirect URI in Azure.

Related Articles
Managing Users
Map IdP Groups to piplanning.io Teams
Single Sign-On (SSO): Getting Started
SSO using Okta
Did this answer your question?