Sample configuration for Entra

7.4 Sample configuration for Entra

This section contains a sample myid.production.json file set up for Microsoft Entra that you can use as a starting point for your own configuration. Copy this information into the myid.production.json file in the SSRPOID folder. You may have to create this file, or replace the contents of an existing myid.production.json file; by default, the SSRPOID folder is in the following location:

C:\Program Files\Intercede\MyID\SSRP\SSRPOID

7.4.1 Configuring the file for your own settings

You must replace the following settings with your own values:

Url – replace the tenant ID in the middle of the URL with your own tenant ID.

https://login.microsoftonline.com/<tenant ID>/v2.0

You can obtain your tenant ID from the Microsoft Entra Overview page.
ClientId – replace with your own client ID.

You can obtain your client ID from the Microsoft Entra Overview page.
ClientSecret – replace with an encrypted version of your own client secret.

You can obtain your client secret when you create it in the Microsoft Entra portal, and you can encrypt it using the provided DPAPIEncrypt.ps1 PowerShell script; see section 7.3.1, Encrypting the client secret for details.

See section 7.3, Configuring the Self-Service Request Portal for external identity providers for more information about the content of this file.

7.4.2 Setting up redirect URIs

You must also make sure that you add the Redirect URI for the provider in the Microsoft Entra portal.

In this case, the Name is Entra, and it is included in the SSRPOID web application, so if your server name is myserver.example.com, the redirect URI would be:

https://myserver.example.com/SSRPOID?name=Entra

See section 7.2, Configuring your external identity provider for details.

7.4.3 Example myid.production.json file for Microsoft Entra

Copy

{
  "Providers":[
    {
      "Name":"Entra",
      "DisplayName":"Login with your Microsoft account",
      "Url":"https://login.microsoftonline.com/b785ece2-47dd-4eb6-acee-be595bbce9b3/v2.0",
      "Enabled":true,
      "Type":"oid",
      "Default":true,
      "Scopes":"openid email profile",
      "RequiredAudience":"",
      "RequiredIssuer":"",
      "ClientId":"4d58a40d-d199-46d7-9da5-f363b071fc44",
      "ClientSecret":"AQAAANCMnd8BFdERjHoAwE/C [...] JwWwaKXWoS3i+ulxtmjVQyudpQ==",
      "RetrieveUserInfo":true,
      "Mappings":[
        {
          "Match":{
            
          },
          "Attributes":[
            {
              "From":"oid",
              "To":"XuSYSExternalReferenceId1",
              "Mandatory":true,
              "Unique":true,
              "Update":true
            },
            {
              "From":"preferred_username",
              "To":"Email",
              "LookupExisting":true,
              "LdapSync":true
            },
            {
              "From":"name",
              "To":"FullName"
            },
            {
              "From":"family_name",
              "To":"Surname",
              "Update":true
            },
            {
              "From":"given_name",
              "To":"FirstName"
            },
            {
              "From":"",
              "To":"Roles",
              "Static":"<role name='Derived Credential Owner' scope='1'/><role name='Cardholder' scope='1'/>"
            },
            {
              "From":"",
              "To":"GroupName",
              "Static":"Imported From Microsoft"
            },
            {
              "From":"",
              "To":"ParentGroupName",
              "Static":"Derived Credentials"
            }
          ]
        }
      ]
    }
  ]
}