Skip to main content
All CollectionsRTE CockpitSetup Single-Sign On (SSO)Open ID Connect (OIDC)
Microsoft Entra ID
Microsoft Entra ID

Setting up Microsoft Entra ID (formerly Azure AD) with the piplanning.io via SSO. Topics: Entra Groups, OIDC connection and FAQ.

Updated over 2 weeks ago

Setting up Microsoft Entra ID

  1. Go to the Azure portal: https://portal.azure.com/#home

  2. Select Microsoft Entra ID in the menu.

    Microsoft Azure Portal - navigate to Microsoft Entra ID.

  3. Navigate to Manage > App registrations menu option and click on +New registration button.

    Entra ID App registrations page. Click New registration button.

  4. Insert the name of the application (e.g. piplanning app) and the Callback URL* into the Redirect URI (optional) field. Choose Web as the platform type.

    IMPORTANT: Ensure you have the value Web selected in the platform type dropdown field when configuring the Redirect URL (optional) field.

    Register a new Entra ID Application.


    *Note: The Callback URL can be found on the OpenID Connect page in the RTE Cockpit.

    The OpenID Connect page in the RTE Cockpit SSO setup.

    Note**: Depending on how your Microsoft Entra ID is configured and which users you want to give access to piplanning.io, you might have to select a different option in the Supported account types section. If login for some users doesn't work, try changing this configuration option.

  5. Check that the permissions are correct. You need the Microsoft Graph User.Read permissions to be able to login successfully.

    Note: If you want to map Microsoft Entra ID Groups to piplanning.io Teams automatically, you need to add Microsoft Graph Group.Read.All permissions as well.

    Permissions to Read Entra ID Users and Groups.

  6. Next is the creation of a Client Secret. This can be done by going in the Manage > Certificates & Secrets in the left navigation (or click the Add certificate or secret hyperlink under Essentials in the right pane), then click on +New client secret button.

    Entra ID > Manage > Certificates & secrets. Create a New client secret button.

  7. The secret can now be copied* to your clipboard and saved. This information is needed in piplanning.io > RTE Cockpit > SSO > OIDC setup later.

    *Note Client secret values can only be viewed once, immediately after creation. It is important you copy this value to be used in the setup in the RTE Cockpit.

    Entra ID App Client secrets. Copy the values for use in the SSO setup.

Setting up the SSO > OIDC connection in piplanning.io

To configure piplanning.io with Entra ID using the OpenID Connection protocol:

  1. Login to the RTE Cockpit and click on the SSO menu. Click the button Setup OpenID Connect button.

    RTE Cockpit > SSO > Setup OpenID Connect > OpenID Connect setup

  2. Enter a Connection name of your choice. Note: The Connection name value will appear as the label on the login button for your users. (e.g. "Entra ID Login")

  3. Ensure the checkbox Automatically discover endpoints remains checked.

  4. Enter into the Issuer field the following URL:

    1. https://login.microsoftonline.com/{tenantId}/v2.0

    2. The {tenant ID} must be substituted with the value found on the Microsoft Entra ID application registration overview as Directory (tenant) ID:

    Entra ID > Application Overview page with {tenant} and {client} IDs.


    Note: Depending on your configuration, you might have to use the older version of the API. If login doesn't work with your setup, try to remove /v2.0 from the Issuer URL: ​https://login.microsoftonline.com/{tenantId}

  5. Fill in the client ID that you can also find in the Microsoft Entra ID > Application registration overview as Application (client) ID

  6. Fill in the client secret from the value you previously generated under "Certificates & Secrets". This value was hopefully saved to your clipboard previously.

  7. At this point the form should be complete, and the connection should be saved by clicking Save.

    Screenshot of the OpenID Connect configuration for Microsoft Entra ID.

The piplanning.io login screen will now add the button for SSO via Microsoft Entra ID.

piplanning.io Login Page with Entra ID SSO setup with the ODIC protocol.

Mapping Entra Groups to piplanning.io Teams

In order to set up group mapping for Microsoft Entra ID to piplanning.io Teams you need to execute the following steps:

  1. Navigate to Microsoft Entra ID -> App registrations -> <Entra App Name> -> Token configuration.

    Navigate to Token configuration menu in the Entra ID App.

  2. Click on Add group claim and select the Groups assigned to the application (recommended for large enterprise companies to avoid exceeding limit on the number of groups a token can emit) option. Click Add.

    Edit group claim in the Entra ID App.

  3. Navigate to Microsoft Entra ID -> App registrations -> <Entra App Name> -> Manifest.

    Navigate to the App registrations. Click on the App created and select Manifest.

  4. Find optionalClaims and modify the idToken property to include cloud_displayname under additionalProperties. Click Save.

    Entra ID &gt; App registration &gt; Manage &gt; Manifest &gt; Edit idToken &gt; additionalProperties.

  5. Navigate to Microsoft Entra ID -> Enterprise applications -> <Entra App Name> -> Manage -> Users and groups.

  6. Click on the Add user/group button and select all groups you want to map to the piplanning.io Teams.

  7. Back in the RTE Cockpit, navigate to Organizations -> Teams and select a Team you want to map to the respective Microsoft Entra ID group.

  8. Click Edit Team button and select the OpenID Connect Group tab at the bottom. Fill in the Group name field. Click Save.

    RTE Cockpit &gt; Organization &gt; Team &gt; Edit &gt; OpenID Connect Group tab.

  9. NOTE: If Group mapping does not work as expected, in Entra ID try to edit the Groups Claim in the Token configuration. Click Edit Groups Claim, select ID in Customize token properties by type and select sAMAAccountName. Click Save. After that perform the steps from Step (list item) #5 again.

Entra ID edit Group Claims to select sAMAAccountName.

FAQ

Q: During login, I get the error: A request to the OpenID Connect Token API has failed. Unable to complete this login request" [Backend error: AADSTS700025 - invalid_client]


A: Make sure you have selected Web (instead of single page application) for the redirect URI in Azure.

Related Articles
Map IdP Groups to piplanning.io Teams
SSO using Okta
Did this answer your question?