External Authentication Method (EAM)

This guide provides step-by-step instructions for integrating Microsoft Entra with Pointsharp IdP as an external authentication method using OpenID Connect (OIDC).

This integration enables you to use Pointsharp IdP for authentication in Entra without federating your entire tenant, allowing selective and secure authentication flows for specific applications or user groups.

For Microsoft Entra External Authentication Methods (EAM) using OpenID Connect, the client secret is typically not used. The authentication flow relies on browser-based redirects and interactive user authentication. That is why a dummy-secret is used in this guide.

Follow each section in order to complete the integration:

Application in Entra

  1. Sign in to the Microsoft Entra admin center.

  2. Navigate to Applications > Enterprise applications > New application.

  3. Select Create your own application and provide a name (e.g., "Pointsharp IdP EAM").

  4. Choose Integrate any other application you don’t find in the gallery (Non-gallery) and click Create.

  5. After creation, go to the application and select Single sign-on.

  6. Choose OpenID Connect as the single sign-on method.

  7. Note the following values for later use in Pointsharp IdP configuration:

    • Redirect URI (Callback URL)

    • Client ID

    • Client Secret (if generated)

    • (Optional) Issuer/Discovery URL

External authentication method in Entra

  1. Sign in to the Microsoft Entra admin center.

  2. Navigate to Protection > Authentication methods > External Identities.

  3. Select External authentication methods and click Add method.

  4. Choose OpenID Connect IdP and provide a name (e.g., "Pointsharp IdP").

  5. Enter the OIDC discovery URL from Pointsharp IdP (e.g., https://<idp-domain>/.well-known/openid-configuration).

  6. Enter the Client ID and Client Secret as configured in Pointsharp IdP.

  7. Configure the required claims and scopes as needed for your environment.

  8. Assign the method to users or groups as appropriate.

  9. Save the configuration.

Configuration for Pointsharp IdP

  1. Sign in to the Pointsharp IdP administration GUI.

  2. Navigate to the realm or tenant you want to configure.

  3. Go to Clients and select Create client.

  4. Enter a client ID and select OpenID Connect as the protocol.

  5. Set the Redirect URI to match the value from the Entra application.

  6. Configure the client settings:

    • Enable the client.

    • Set access type to confidential (this is required in order to allow saving the client).

    • Enter a dummy client secret. This is required by the interface, but will not be used by Entra EAM.

    • Set the appropriate scopes (such as openid, profile, email).

  7. (Optional) Configure advanced OIDC settings as needed.

  8. Save the client configuration.