Search

Panaseer SSO with Microsoft Entra ID and OIDC

  • Updated

This document runs through the basic steps to configure an SSO integration in Panaseer with Microsoft Entra ID using OIDC.

Please contact your CSM if you need support from our engineering teams.

Register a new application

  1. Login to Microsoft Azure and search for App registrations.

  2. Click New registration.

    New registration

  3. Enter the application Name, such as Panaseer, and click Register. You can leave the other fields on the page at their default values.
  4. Once the application has been registered, record the values for the Application (client) ID and the Directory (tenant) ID as you will need to pass these on to our Customer Success team.

Client and Tenant IDs

Create a client secret

  1. On the Overview page, click the Manage dropdown and then select Certificates & secrets.
  2. Click New client secret, enter a Description and select the date that the secret Expires.
    New Client Secret

  3. Click Add.

    The new client secret is displayed.

    Secret Value

  4. Make a note of the Value generated for Panaseer App as well as the expiry date for that secret, and pass this on to you Panaseer Customer Success representative.

The client secret Value can only be viewed immediately after creation. Be sure to make a note of the secret before leaving the page.

Set up Authentication URIs

  1. On the Overview page, click the Manage dropdown and then select Authentication.

  2. Click Add a platform and then under Web applications, click Web.

    Add platform URIs

  3. Add two URIs under the Redirect URI. Once you've added the first URI, you can click Add URI on the Platform configurations page to add the other.

  4. You can get the URI values from your Panaseer Customer Success representative:

    https://{hostname}/psdl/auth/callback?client_name=OidcClient

    https://{hostname}/psdl/auth/sso-logout-callback

    Don't forget to replace {hostname} with your host name. For example: 
    https://c123.panaseer.com/psdl/auth/callback?client_name=OidcClient
    https://c123.panaseer.com/psdl/auth/sso-logout-callback

    URI values

  5. Click Save to add the URIs to the platform.
  6. Scroll down to the Implicit grant and hybrid flows settings and ensure that both the Access tokens and the ID tokens options are not checked.

Disallow tokens

Configure email claim

For full and up-to-date documentation on configuring claims, refer to Microsoft’s documentation.

  1. On the Overview page, click the Manage dropdown and then select Manifest.

  2. Find the attribute optionalClaims in the JSON file.

    Optional claims

  3. Change the value for optionalClaims from null to the following JSON:
"optionalClaims": {
              "idToken": [
                      {
                              "name": "email",
                              "source": null,
                              "essential": false,
                              "additionalProperties": []
                      }
              ],
              "accessToken": [],
              "saml2Token": []
       },

Configure Panaseer Groups and Entra ID Application Roles

For full and up-to-date documentation on this, refer to Microsoft’s documentation.

  1. On the Overview page, click the Manage dropdown and then select App roles.

  2. Create the same number of application roles as you have Groups in Panaseer. You can find Panaseer groups by clicking the Settings button in the left-hand menubar and then selecting Access Management > Groups.

    Panaseer Groups

  3. Click Create app role to start adding roles. Ensure that Allowed member types is set to Both as shown.
  4. The Value field is mapped 1-1 with Group names in Panaseer and determines how a user is assigned to groups when they login with Entra ID. We recommend using Display name and Value names similar to the Panaseer Group name for clarity.

Create app role

App roles are listed in the same order that they are created, so we recommend using the same order as the Panaseer Groups.

App roles

Assign App roles to Enterprise groups

The last step in configuring SSO with OIDC is to match up the App roles created in the previous section with Enterprise Application users. Any user that is a member of that Panaseer group then inherits the role assignment when they login to Panaseer.

  1. Go to the Enterprise Application Overview and click Users and groups.

    Click How do I assign App roles on the App roles page to display a shortcut to the Enterprise Application overview.

  2. Click Add user/group to display the Add Assignment page.
  3. Under Users and groups, click None Selected.

  4. Click the Users tab and then use the Search bar to locate the required user. In this example, Admin.

    Select user

  5. Click Select to add the user to the assignment.
  6. Under Select a role, click None Selected.
  7. Select a role from the right-hand side of the page. The roles are populated with the Values you add in the previous section, so select the relevant role. In this example, Admins.
    Select role
  8. Click Select to add the role to to the assignment.
  9. Click Assign to finish.
  10. Repeat the Add user/group step for all groups within Panaseer to complete the process.

User and groups

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.