Integrating Entra ID
At the end of 2023, Microsoft completed the change of their product name from Microsoft Azure Active Directory (Azure AD or ADD) to Microsoft Entra ID (Entra or Entra ID).
This documentation is a detailed guide for setting up single sign-on (SSO) through Entra ID, leveraging SAML 2.0 or OIDC.
The following procedures require copying and pasting information between Entra and the Delinea Platform. We recommend opening both applications before you begin, and keeping both open until you are finished.
You do not need to configure both OIDC and SAML applications for your integration. Depending on your organization's infrastructure and preferences, you can choose either OIDC or SAML.
Instead of using Entra ID federation as described in this topic, you can use Entra ID as a Registered App (native integration). See API-Based Integration with Entra ID. But you cannot use both features simultaneously with the same domains.
Prerequisites
On the Delinea Platform, you need to be an Administrator with federation privileges.
Decide whether you will be using SAML or OIDC.
-
For SAML, see Build an Entra SAML Application and Add the SAML Provider to the Platform .
-
For OIDC, see Build an Entra OIDC Application and Add the OIDC Provider to the Platform .
Build an Entra SAML Application
-
Log into the Entra ID portal at
https://entra.microsoft.com
. -
Click Manage Entra ID.
-
From the left panel, click Enterprise Applications.
-
From the top row, click + New Application.
-
At the top of the Browse Microsoft Entra ID Gallery page, click Create your own application.
-
On the Create your own application page:
-
Enter a meaningful name (for example, Delinea Federation).
-
Ensure this option is selected: Integrate any other application you don't find in the gallery (Non-gallery).
-
Click Create.
-
-
Once your application is created, click Single sign-on from the left panel.
-
Click the SAML card.
-
On the SAML-based Sign-on page, click Edit at the top right of the Basic SAML Configuration block
-
In the Basic SAML Configuration panel that appears on the right side, click Add Identifier.
-
Add the following values:
-
Identifier (Entity ID)
CN=Microsoft:Azure:Federated:SSO:Certificate
-
Reply URL (Assertion Consumer Service URL)
https://[HOST-NAME].delinea.app/identity-federation/saml/assertion-consumerReplace
[HOST-NAME]
with the host name you selected when you created your tenant. -
Logout URL (Optional)
https://[HOST-NAME].delinea.app/identity-federation/saml/logout-consumerReplace
[HOST-NAME]
with the host name you selected when you created your tenant. -
Click Save at the top left.
Attributes and Claims Mappings
-
Click Edit at the right side of the Attributes & Claims block.
There are four (4) claims the Delinea Platform requires:
Source | Destination
-
EmailAddress | email
-
Name | displayname
-
nameidentifier | sub
-
upn | upn
-
-
In the Attributes & Claims dialog, click the Name claim as shown below and change the Source attribute to
user.displayname
. -
Click Save.
-
As needed, add the groups assigned to this application as a claim in the SAML token. For details, see Add group claims to tokens for SAML applications using SSO configuration.
-
Click Add new claim.
-
On the Manage Claim page, enter the following values:
-
Name:
nameidentifier
-
Source Attribute:
user.objectid
-
-
Click Save.
-
Add a second claim for the for upn using the following values:
-
Name:
upn
-
Source Attribute:
user.userprincipalname
-
-
Click Save. Your final claims appear.
-
Click the SAML-based Sign-on link to go back to the SAML setup screen.
-
In the SAML Certificates block, click Download next to Federation Metadata XML and Certificate (Base64)
You will use these saved files in the next step to configure the Federation service in your Delinea tenant.
Add the SAML Provider to the Platform
-
Log in to the Delinea Platform.
-
Click Settings from the left navigation, then click Federation Providers.
-
Click Add Provider.
-
Select SAML from the drop-down menu. The Add Provider page opens.
Settings
In the Settings section, the first fields are automatically populated when you select the SAML provider configuration file and click Apply.
-
SAML provider configuration: Click Select file.
-
Navigate to and select the federation metadata XML file you downloaded. Apply appears above the right end of the SAML provider configuration field.
-
Click Apply. The words Uploaded successfully will appear next to SAML provider configuration, and the empty fields below will be auto-populated:
-
Name: Auto-generated from metadata
-
Protocol: SAML (auto-filled)
-
Status: Disabled
-
Entity ID [example: https://sts.windows.net/808444af-4011-40d5-9b0a-a9a5c95f88e9/]
-
IDP Certificate: Click Select File, then navigate to and select the Signing Certificate file you downloaded, to populate the following fields:
-
Signature
-
Algorithm
-
Thumbprint
-
Not valid before
-
Not valid after
-
Issuer
-
-
-
IDP Login URL: Paste in the Login URL copied from your application in Entra, Step 4.
-
IDP Logout URL: Paste in the Logout URL copied from your application in Entra, Step 4.
-
Platform Callback URL: https://[HOST-NAME].delinea.app/identity-federation/saml/assertion-consumer
Copy the Platform Callback URL and paste into the appropriate field in your new Entra application. -
Platform Logout URL: https://[HOST-NAME].delinea.app/identity-federation/saml/logout-consumer
-
Status: Select the box next to Enabled.
Advanced Settings
See Advanced Settings (SAML only) under Federation Management.
Attribute Mappings
-
EmailAddress | email
-
Name | displayname
-
nameidentifier | sub
-
upn | upn
Group Mappings
-
Click Add Group Mapping.
-
Under Attribute, enter 'groups' (all lowercase).
-
Under Source Name, enter the Object ID copied from the appropriate group on the Microsoft Entra ID Groups page.
-
From the Groups drop-down, select a group from the pull-down menu. (You can use the groups attribute to map more than one group.)
Also see Mapping Federated Groups under Federation Management.
User Mappings
Domains
-
Click Add Domain and enter the domain from the email addresses of the users you are including in this federation.
-
Optionally enable the Status of the provider.
-
When all required fields are populated, click Add Provider.
Build an Entra OIDC Application
If you chose not to use SAML (described in the previous section, Build an Entra SAML Application), use the following technique to build an OIDC application.
-
Log into the Entra ID portal.
-
From the Entra ID Home page, click the Entra ID icon.
-
Once inside the Entra ID service, click App Registrations from the left navigation.
-
Along the top row, click + New Registration.
The Register an application page appears.
-
Fill out the fields as follows:
-
Name: Give the new application you are registering a name. Any descriptive name works. This name will be displayed to users by Microsoft during the first login but it does not matter to the Delinea Platform. For demonstration purposes, we will use the name `azure-oidc-testdemo'
-
Supported account types: Click the one with Single tenant in its name. To see the difference between the account types, click Help me choose….
-
Redirect URL: This can be added in a later step.
-
-
Click Register at the bottom left.
-
From the left navigation, click Token Configuration.
-
Click Add optional claim.
A panel opens on the right side.
-
Under Token Type, click ID.
-
Under Claim, click preferred_username.
-
-
Click Add at the bottom left.
Add the OIDC Provider to the Platform
-
Log on to the platform.
-
Click Settings from the left navigation, then click Federation Providers.
-
Click Add Provider.
-
Select OIDC from the drop-down menu. The Add Provider page opens.
Settings
-
Name: Enter a unique name.
-
Status: Select the box next to Enabled.
-
Endpoint URL: This URL is based on your Entra ID tenant ID. To retrieve your Entra ID tenant ID:
-
Paste the copied portion of the URL into the Endpoint URL field on the platform.
-
Client ID: Copy this value from your new Entra application page next to Application (client) ID and paste it into the Client ID field on the platform +Add Federation Service page.
-
Client Secret:
-
Return to your new Entra application page.
-
Click Certificates & Secrets from the left navigation.
- Click + New client secret.
-
In the panel that opens to the right, fill in the fields for Description and Expires.
-
Click Add at the bottom. A secret value is generated.
-
Copy the Secret value from the Value field.
-
Paste the value into the Client Secret field on the platform Add Provider page.
-
-
Prompt: See Prompt for Re-authentication (OIDC only) under Federation Management.
-
Platform Callback URL: Copy the platform callback URL and paste it into the Redirect URIs field in your new Microsoft Entra ID application.
Attribute Mappings
Some defaults are provided but can be overridden as needed. In this example we will replace the upn value with preferred_username.
-
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | email
-
name | displayname
-
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier | sub
-
preferred_username | upn
Group Mappings
-
Click Add Group Mapping.
-
Under Attribute, enter 'groups' (all lowercase).
-
Under Source Name, enter the Object ID copied from the appropriate groups on the Microsoft Entra ID Groups page.
-
Under the Group drop-down, select a group from the pull-down menu. (You can use the group attribute to map more than one group.)
Also see Mapping Federated Groups under Federation Management.
User Mappings
See Mapping Federated Users under Federation Management.
Domains
-
Click Add Domain and enter the domain from the email addresses of the users you are including in this federation. If you specify the Entra ID guest domain, then Entra guest users can also access the platform.
When all required fields are populated, click Add Provider.
Add the Platform
-
On the Entra App Registration page, click Authentication and then Add a platform.
-
In the panel that opens on the right, click Web.
-
Under Redirect URIs, enter your Platform Callback URL from your provider page.
-
Click Configure at the bottom of the panel.
From Your Entra Application
-
Log in to your Microsoft Entra ID application and open to the Home page.
-
From the left navigation menu, click App Registrations.
-
Click the All applications tab.
-
Click the appropriate SAML or OIDC federation application created by your organization, for example:
-
From the left menu navigation, click Token Configuration.
-
Click + Add group claim.
-
From the panel that pops up named Edit group claims, select the group types to include. We strongly recommend selecting Groups assigned to the application to ensure that only the needed groups are sent to the platform.
-
Click Add at the bottom.
-
From the breadcrumb path at the top of the page, select the name of the Entra ID directory you're configuring, for example:
-
Click Groups from the left navigation menu.
-
Select the group you are working with and copy the group's Object ID.
From the Platform
-
Log out of the Platform.
-
Log back into the platform as a user who belongs to a platform group mapped to an Microsoft Entra ID group.
-
Click Access from the left navigation menu, then click Groups from the secondary menu.
-
Click a platform group that you've mapped to an Microsoft Entra ID group, where your user should appear.
-
Click the Members tab.
-
Verify that the user you logged in as, is a member of the platform group that you mapped to an Microsoft Entra ID group.