Microsoft SSO

The following steps describe the state of Microsoft services at the time of creating this instruction (16/01/2024). The Microsoft identity platform interface may change, so for the most up-to-date information, refer to the official source and their official video guide

To log in to the AppSec portal through your Microsoft identity platform, follow these steps:

  1. Navigate to your Microsoft Entra using the link

  2. Navigate to Application -> App registrations section and register a new application

  1. You will see the following screen, where you need to copy the <Application (client) ID>:

  1. Now create a client secret on the "Certificates & secrets" tab:

  1. The final data you have to get here is the server metadata url.

Use the data created for your application to configure SSO integration in the AppSec portal:

  • Domain: login.microsoftonline.com

  • Client ID: <Application (client) ID>

  • Client Secret: <Value>

  • Server metadata url: <OpenID Connect metadata document>

MS Role Mapping

To create a role mapping in our portal, follow these steps:

  1. Create custom roles for Application

Navigate to Applications -> App registrations -> <Created application> -> App roles section and create all required roles here

  1. Now you will be able to assign users/groups to Application roles

For example select a group with all colleagues from IT department and assign them to our newly created role

  1. Configure the mapping of roles for your SSO connection. JSON key in JWT token with list of external groups field should equal to roles for this integration.

The integration only works with the roles value We know that Microsoft provides the guide with a clearly displayed "groups" key πŸ€·β€β™‚οΈ Get more information about this specific feature from the video

  1. If a mapping has not been previously configured, the first time you log in using Single Sign-On (SSO), the SSO settings will display a list of roles received from Microsoft under the name External Group Name. You can configure these roles by creating mappings. To do this, add the corresponding portal roles for each group from this list.

If new roles appear on the Microsoft's side, they will also appear as unassociated during the first login and you should associate them later.

Last updated