Skip to content
HIPE Logo Developers - HIPE

Microsoft Azure AD - OIDC (v1.0)

Prerequisites

Section titled “Prerequisites”
  • A Microsoft Entra ID tenant
  • Admin privileges to configure applications in Azure AD
  • Access to the Azure portal

Configuration steps

Section titled “Configuration steps”

1. Register an application in Azure AD

Section titled “1. Register an application in Azure AD”
  1. Go to the Azure portal
  2. Navigate to Azure Active Directory > App registrations
  3. Click New registration
  4. Fill in the required fields:
    • Name: Choose a name for your application (e.g., HIPE) that will be displayed in the Azure portal
    • Supported account types: Choose the appropriate option for your use case
    • Redirect URI: Keep empty for now, we will configure it later
  5. Click Register

Azure AD application registration step 1

Azure AD application registration step 2

2. Configure API permissions

Section titled “2. Configure API permissions”
  1. In the left navigation, click API permissions
  2. Click Add a permission > Microsoft Graph
  3. Select Delegated permissions and add:
    • User.Read
    • email
    • offline_access
    • openid
    • profile
  4. Click Add permissions
  5. Click Grant admin consent for [your tenant]

Azure AD API permissions step 1

Azure AD API permissions step 2

Azure AD API permissions step 3a

Azure AD API permissions step 3b

Azure AD API permissions expected result

3. Configure authentication

Section titled “3. Configure authentication”
  1. In the left navigation, click Authentication
  2. Under Platform configurations, click Add a platform
  3. Select Web
  4. Add the redirect URI: https://keycloak.packitoo.com/realms/REALM_NAME/broker/azure-ad-oidc/endpoint (This URL will be given to you by your Customer Success Manager)
  5. Click Configure

Azure AD authentication configuration

4. Configure token configuration

Section titled “4. Configure token configuration”
  1. In the left navigation, click Token configuration
  2. Click Add optional claim
  3. Add claims as needed (Select ID token in the radio button)
    • email
    • family_name
    • given_name
    • preferred_username

Azure AD token configuration

5. Get credentials

Section titled “5. Get credentials”
  1. In the left navigation, click Certificates & secrets
  2. Under Client secrets, click New client secret
  3. Add a description and expiration
    • Description: HIPE SSO
    • Expiration: 24 months (Except if you want shorter expiration for it but consider that you will need to rotate the secret)
  4. Click Add
  5. Copy the secret value (you won’t be able to see it again) and save it for later

Azure AD certificates and secrets

6. Create discovery endpoint

Section titled “6. Create discovery endpoint”
  1. In the left navigation, click Overview
  2. Copy the Directory (tenant) ID (eg: 12345678-1234-1234-1234-123456789012)
  3. Go to https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration, replace {tenant-id} with the copied ID, if the URL is working
  4. Copy the Application (client) ID and put it in the client ID field (see step below)
  5. Copy the URL from the previous step and put it in the discovery URL field (see step below)

Azure AD overview tenant ID

Azure AD discovery endpoint check

7. Share credentials with your Customer Success Manager

Section titled “7. Share credentials with your Customer Success Manager”

To avoid any issue, please share the following information with your Customer Success Manager, using a One-time secret sharing service such as:

The expected format is:

Client ID: <client-id> (eg: zNR8Q~sdsdad)
Client Secret: <client-secret> (eg: sds-aaaa-sdasd-eeee-adasdsd)
Discovery URL: <discovery-url> (eg: https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration)