search
About CoherentAPI referenceSupportYouTube

MS Entra ID (OIDC)

hashtag
Prerequisites

chevron-rightPermissions required for registering and configuring an app in Microsoft Entra ID.hashtag

The account must have permission to manage applications in Microsoft Entra ID. Ideally the account should be in the Global Admin role to grant admin consent.

hashtag
Implement Single Sign-On (SSO)

It is recommended to use two separate browser tabs for the Azure (A) and Keycloak (K) portals to make it easier to apply the settings.

  1. (A) In the first tab sign in to the Azure Portalarrow-up-right.

  2. (A) Search for Microsoft Entra ID. Expand Manage in the left pane and click App registrations.

  3. (A) Select Endpoints.

  4. (A) Copy the value from the OpenID Connect metadata document field.

  5. (K) Open a new tab in your browser and login to the target Spark tenant. Access the Keycloak console from the User menu.

  6. (K) Login to the Keycloak Admin Console using your admin credentials.

  7. (K) Select Identity Providers from the left pane.

  8. (K) Expand the Add Provider dropdown and choose OpenID Connect v1.0.

  9. (K) Find the Discovery Endpoint field and paste the OpenID Connect metadata document.

  10. (K) Click on the Show metadata link. You'll notice that some metadata fields are automatically filled in.

  11. (K) Fill in values for the Alias and Display Name fields. The Alias should be a lowercase name without special symbols. Please note this Display Name will appear in the button on the Spark login page.

  12. (K) Copy the Redirect URI value.

  13. (A) Switch to Microsoft Entra ID. Select App registrations, then select New registration.

  14. (A) Enter a name for the application, e.g. Coherent Spark UAT.

  15. (A) Select the supported account type that is appropriate for your organization.

  16. (A) Under Redirect URI, copy the edited Redirect URI value from before.

  17. (A) Select Register.

  18. (A) Copy the Application (Client) ID from the Overview page.

  19. (K) Return to Keycloak. In the Client ID field, paste the value copied in the previous step.

  20. (A) Switch to Microsoft Entra ID. Go to Certificates & secrets.

  21. (A) Select New Client Secret and fill out the Description and Expiration fields.

  22. (A) Select Add and copy the value.

  23. (K) Return to Keycloak. In the Client Secret field, paste the value copied in the previous step.

  24. (K) Scroll to the bottom of the page and click Save.

  25. (A) Switch to Microsoft Entra ID. Go to API permissions.

  26. (A) Select Grant admin consent for {your Microsoft Entra ID} to grant permissions to the application.

  27. Navigate to your Spark tenant and sign in using the newly created provider. There will be a button on the Keycloak login page with the display name defined earlier.

hashtag
Configure app roles to Spark user groups

It is recommended to use two separate browser tabs for the Azure (A) and Keycloak (K) portals to make it easier to apply the settings. In this guide, we will setup the automatic roles for the tenant-admin role.

  1. (A) In the first tab sign in to the Azure Portalarrow-up-right.

  2. (A) Search for and select Microsoft Entra ID.

  3. Select App registrations, then select the application you previously created and click App roles.

  4. (A) Select Create app role.

  5. (A) Provide the following values then select Apply.

    Key
    Value

    Allowed member types

    User/Groups

    Display name

    tenant-admin

    Value

    tenant-admin

    Description

    Your app role description

    Do you want to enable this app role?

    True

  6. (A) Click Overview in the left pane and then on your application in Managed application in local directory.

  7. (A) Select Properties from the left pane.

  8. (A) Set Assignment required? to True and select Save.

  9. (A) Select Users and Groups from the left pane and then Add user/group.

  10. (A) Assign your test account to the tenant-admin role.

  11. (K) Open a new tab in your browser and login to the target Spark tenant. Access the Keycloak console from the User menu.

  12. (K) Login to the Keycloak Admin Console using your admin credentials.

  13. (K) Select Identity Providers from the left pane and then the identity provider you configured in the previous section.

  14. (K) Select the Mappers tab and then Add mapper.

  15. (K) Provide the following values.

    Name
    Value

    Name

    tenant-admin

    Sync mode override

    force

    Mapper type

    Advanced Claim to Group

  16. (K) Click Add Claims.

  17. (K) Provide the following values:

    Key
    Value

    roles

    tenant-admin

  18. (K) Leave Regex Claim Values as Off (which is the default).

  19. (K) Click Select Group, choose tenant-admin , then click Select.

  20. (K) Click Save.

  21. Sign in into Coherent Spark with your test account. Click on your initials and hover over the groups icon to confirm your membership in tenant-admin.

  22. We highly recommend creating at least a few additional app groups relevant for Private tenantarrow-up-rights:

    • Group for supervisor:pf user accounts. In Spark, supervisor:pf members can manage permissions across all folders.

    • Groups for "standard" user accounts, e.g. user:teamA, user:teamB. These groups can be assigned to the users in your organization not responsible for tenant administration. Creating multiple roles for "standard" user accounts can be useful to separate access between teams.

hashtag
Enable Privileged Identity Management (PIM)

See MS Entra ID Privileged Identity Management (PIM).

hashtag
Create an enterprise application for Coherent Spark

See Microsoft Apps.

Last updated