Skip to main content

Configure Federated Login for Raidiam Connect

Raidiam Connect supports federated login from Azure AD (Entra ID) via OIDC integration with the directory and OP admin services.

This guide shows the steps an organisation should take to coordinate setting up SSO with Raidiam.

Prerequisites

Raidiam will provide the following:

  • Redirect URI

  • Application Certificate

When the below setup is complete, Raidiam should be provided with:

  • client_id

  • Discovery URI

  • Token endpoint URI

  • Group ID - for users accessing OP Admin Service

Raidiam should also be informed of how the SSO should be configured:

  • Display name for login button

  • List of domains to use this SSO

    • If these domains should have SSO enforced

  • Any bypass policies EG: bypass 2FA, signup verification email

Azure Active Directory Configuration

  1. Log in to your Microsoft Azure portal and go to Azure Active Directory.

  2. Click Properties and save your Tenant ID for later.

  3. Under Manage, select Enterprise applications.

  4. Click New Application

  5. At the top of the Azure AD Gallery page, click Create your own application and enter a name.

  6. Select Integrate any other application you don't find in the gallery (Non-gallery) and then click Create. You’ll be taken to the application overview screen.

  7. You’ll need to register your application. Select Home in the breadcrumbs to go back to the Home screen.

  8. Select Azure Active Directory (Entra ID).

  9. In the menu, select App Registrations.

  10. Click New Registration.

  11. On the Register an application page, give the application a name.

  12. Set Supported account types to Accounts in this organisational directory only (Default Directory only - Single tenant).

  13. Click Register.

  14. Copy the Application (client) ID and save for later.

  15. Click Add a Redirect URI.

  16. Under Platform configurations, click Add a platform.

  17. Select Web.

  18. Set the Redirect URI to the one provided. This will be in a similar format to the below example: https://auth.{environment URL}/interaction/callback/{SSO Name}

  19. Click Save.

  20. Navigate to Certificates & Secrets for the app registration.

  21. Upload the certificate provided by Raidiam.

  22. Navigate to **Token Configuration **for the app registration.

  23. Click **Add groups claim **(required for OP Admin service) and select Groups assigned to the application.

  24. Navigate to API permissions and add the following Microsoft Graph Delegated permissions: email openid profile.

    Optionally, admin consent can be granted on behalf of the users to skip the first time consent screen.

  25. Using the Tenant ID found earlier, provide Raidiam with the Discovery URI & Token endpoint URI by substituting {Tenant ID} with your Azure Tenant ID in the following:

    • Discovery URI: https://login.microsoftonline.com/{TenantID}/v2.0/.well-known/openid-configuration

    • Token endpoint URI: https://login.microsoftonline.com/{Tenant ID}/oauth2/v2.0/token

OP Admin Service

The OP Admin Service requires SSO and members must also be part of a specified Azure group to gain access.

  1. Log in to your Microsoft Azure portal and go to Azure Active Directory.

  2. Select Groups and create a **New group **(security type recommended).

  3. Take note of the groups Object Id as this will need to be provided to Raidiam as the group ID.

  4. Navigate to Home in the breadcrumb menu.

  5. Under Manage, select Enterprise applications.

  6. Navigate to the Enterprise application previously configured for SSO.

  7. Navigate to Users and groups and Add user/group to add this group to your application.

Open Book IconTABLE OF CONTENT