It is possible to set up Microsoft Entra ID as an OpenID Connect (OIDC) provider with piplanning.io. With this setup, the existing Microsoft Entra ID users can login and authenticate to piplanning.io via SSO.
The generic instructions are also available from Microsoft here.
Setting up Microsoft Entra ID
Go to the Azure portal: https://portal.azure.com/#home
Select Microsoft Entra ID in the menu.
Navigate to Manage > App registrations menu option and click on +New registration button.
Insert the name of the application (e.g.
piplanning app
) and complete the following settings:Please note: for the Supported account types radio button selection, depending on how Microsoft Entra ID is configured in your environment and depending on which users you want to give access to piplanning.io, you might have to select a different radio button option in the Supported account types section. If the SSO login does not work for some users, come back to this setting and try changing this configuration option.
Add the Callback URL into the Redirect URI (optional) field. The Callback URL can be found in the RTE Cockpit > SSO > OpenID Connect page. Important: Choose Web as the platform type.
*Note: The Callback URL can be found on the OpenID Connect page in the RTE Cockpit.
Check that the permissions are correct. You need the
Microsoft Graph User.Read
permissions to be able to login successfully.Note: If you want to map Microsoft Entra ID Groups to piplanning.io Teams automatically, you need to add
Microsoft Graph Group.Read.All
permissions as well.
Next is the creation of a Client Secret. This can be done by going in the Manage > Certificates & Secrets in the left navigation (or click the Add certificate or secret hyperlink under Essentials in the right pane), then click on +New client secret button.
The secret can now be copied* to your clipboard and saved. This information is needed in piplanning.io > RTE Cockpit > SSO > OIDC setup later to complete the Identity Provider setup.
Important: Client Secret Value can only be viewed once, immediately after creation. It is important you copy this value to be used in the setup in the RTE Cockpit.
Setting up the SSO > OIDC connection in piplanning.io
To configure piplanning.io with Entra ID using the OpenID Connection protocol, do the following:
Login to the RTE Cockpit and click on the SSO menu.
Click the button Setup OpenID Connect button.
Enter a Connection name of your choice. Note: The Connection name value will appear as the label on the login button for your users. (e.g. "Entra ID Login")
Ensure the checkbox
Automatically discover endpoints
remains checked.Enter into the Issuer field the following URL:
https://login.microsoftonline.com/{tenantId}/v2.0
The {tenant ID} must be substituted with the value found on the Microsoft Entra ID application registration overview as Directory (tenant) ID:
Note: Depending on your configuration, you might have to use the older version of the API. If login doesn't work with your setup, try to remove /v2.0 from the Issuer URL: https://login.microsoftonline.com/{tenantId}
Fill in the Client ID that you also find in the Microsoft Entra ID > Application Overview > Essentials tab, it is the Application (client) ID
Fill in the Client secret from the value you previously generated under "Certificates & Secrets". This value was hopefully saved to your clipboard previously.
Enter the Scope field with the following values:
openid
email
profile
At this point the form should be complete, and the connection should be saved by clicking Save.
The piplanning.io login screen will now add the button for SSO via Microsoft Entra ID.
Mapping Entra Groups to piplanning.io Teams
In order to set up Group Mapping for Microsoft Entra ID to piplanning.io Teams you need to execute the following steps:
Navigate to Microsoft Entra ID > App registrations > (
Entra App Name
) > Token configuration option.Click on Add group claim and select the checkbox
Groups assigned to the application (recommended for large enterprise companies to avoid exceeding limit on the number of groups a token can emit)
option. Click Add.Navigate to Microsoft Entra ID > App registrations > (
Entra App Name
). Click on the application Display name hyperlink, in this example piplanning.io.Navigate to Microsoft Entra ID > Enterprise applications > (
Entra App Name
) > Users and groups.Click on the Add user/group button and select all groups you want to map to the piplanning.io Teams.
Navigate back to the RTE Cockpit, navigate to Organizations > Teams and select a piplanning.io Team you want to map to the respective Microsoft Entra ID group.
Click Edit Team button and select the OpenID Connect Group tab at the bottom. Fill in the Group name field.
Click Save.
Configuration complete. Now you can test the SSO set up via the OIDC connection to Microsoft Entra ID Groups.
NOTE: If Group mapping does not work as expected, in Entra ID try to edit the Groups Claim in the Token configuration. Click Edit Groups Claim, select ID in Customize token properties by type and select sAMAAccountName. Click Save. After that perform the steps from step #4 again.
FAQ
Q: During login, I get the error: A request to the OpenID Connect Token API has failed. Unable to complete this login request" [Backend error: AADSTS700025 - invalid_client]
A: Make sure you have selected Web
(instead of single page application
) for the redirect URI in Azure.