Entra ID account sign-in

This guide provides step-by-step instructions for configuring Microsoft Entra ID as an external identity provider in Pointsharp IdP using OpenID Connect (OIDC). This allows users to authenticate to Pointsharp IdP using their Entra ID accounts.

Prerequisites

  • You have a working Pointsharp IdP installation.

  • You have administrative access to a Microsoft Entra tenant.

Follow each section in order to complete the integration. Optional steps are clearly marked for advanced attribute and group mapping.

Register Pointsharp IdP as an application in Entra

  1. Sign in to the Microsoft Entra admin center.

  2. Navigate to Applications > App registrations > New registration.

  3. Enter a name.

  4. Set the Redirect URI to match the authorization_endpoint value from the OIDC well-known configuration endpoint of your Pointsharp IdP. For example https://<idp-fqdn>/realms/<realm>/well-known/openid-configuration.

    The authorization_endpoint will look similar to https://<idp-fqdn>/realms/<realm>/protocol/openid-connect/auth.

    Use this value as the Redirect URI when registering the application in Entra.

  5. Complete the registration and note the Application (client) ID and Directory (tenant) ID.

  6. Go to Certificates & secrets and create a new client secret. Note the value for later use.

Configure claims and group/UPN emission in Entra (optional)

Optional: To include groups or UPN in the ID token, configure token claims:

  1. In the app registration, go to Token configuration.

  2. Add a new claim for groups if you want group membership in the token.

  3. Add a new claim for upn if you want the user’s UPN in the token.

  4. Adjust API permissions if needed to allow these claims.

Configure Microsoft Entra ID as an Identity Provider in Pointsharp IdP

  1. Sign in to the Pointsharp IdP Admin GUI.

  2. Navigate to the realm or tenant you want to configure.

  3. Go to dentity Providers and select Add provider > OpenID Connect v1.0.

  4. Enter the following details:

    • Alias: e.g., entra

    • Client ID: from Entra app registration

    • Client Secret: from Entra app registration

    • Discovery URL: https://login.microsoftonline.com/<tenant-id>/.well-known/openid-configuration

    • Scopes: openid profile email (add groups if group mapping is needed)

    • Redirect URI: as registered in Entra

  5. Save the configuration.

Configure attribute/group mapping in Pointsharp IdP (optional)

Optional: To map groups or UPN from Entra ID, follow these steps:

  1. In the Pointsharp IdP Admin GUI, go to the realm or tenant where you added the Entra ID identity provider.

  2. Go to Identity Providers and select your Entra ID provider (e.g., alias "entra").

  3. Navigate to the Mappers tab.

  4. To map groups:

    • Click Create or Add Mapper.

    • Set the Name to groups.

    • Set the Mapper Type to User Attribute or Group Membership (depending on your IdP’s options).

    • Set the Claim or Attribute Name to groups.

    • Map to the appropriate Pointsharp IdP role or group field.

    • Save the mapper.

  5. To map UPN:

    • Click Create or Add Mapper.

    • Set the Name to upn.

    • Set the Mapper Type to User Attribute.

    • Set the Claim or Attribute Name to upn.

    • Map to the username or another desired attribute in Pointsharp IdP.

    • Save the mapper.

  6. Adjust mapping logic as needed for your environment and test the mappings by logging in with an Entra ID user.

Verification and troubleshooting

  • Test login to Pointsharp IdP and select Sign in with Entra ID.

  • Verify successful authentication and correct user/group mapping.

  • If login fails:

    • Check for redirect URI mismatches in Entra and Pointsharp IdP.

    • Ensure client ID and secret are correct.

    • Review browser network logs for OIDC errors.

    • Check Pointsharp IdP and Entra sign-in logs for error details.

    • Ensure required claims (groups, upn) are present if mappings are configured.

  • Common issues: misconfigured redirect URI, missing claims, consent not granted, or clock skew.