SSO With Microsoft Entra ID

Overview

Blindata seamlessly integrates with Microsoft Entra ID (formerly Azure Active Directory) to enable user Single Sign-On (SSO) within your SaaS deployment. This integration leverages OpenID Connect (OIDC) with Proof Key for Code Exchange (PKCE) to ensure secure authentication.

For organizations using Microsoft Entra ID, Blindata with Microsoft Entra sign-in provides a fast, secure, and seamless access experience:

  • Simplified User Experience: Users can sign in to Blindata with their existing Entra ID credentials, eliminating the need for separate logins and reducing password management challenges.
  • Enhanced Security: Entra ID enforces robust security policies, including multi-factor authentication (MFA), to protect user identities in line with your organization’s standards.
  • Centralized Identity Management: User access and permissions are managed directly from Entra ID, streamlining administration and maintaining consistent access controls.

Technical Details

  • Multi-Tenant Application: Blindata is registered as a multi-tenant application within Entra ID. For more information on multi-tenant and single-tenant applications, see Microsoft’s documentation .
  • OIDC with PKCE: Blindata uses the OpenID Connect (OIDC) protocol with PKCE for secure authentication with Entra ID. OIDC standardizes user authentication, while PKCE adds security during the authorization code exchange.
  • Microsoft Authentication Library (MSAL): Blindata uses MSAL to interact with Entra ID, simplifying the process of obtaining security tokens for user authentication and access to the Blindata platform.

In many organizations, users cannot grant app consent due to restrictions. If your organization’s Entra ID administrator has limited access to external applications, sign-in may require additional configuration. In this case, reach out to your Entra ID administrator to:

  1. Perform the initial login.
  2. Grant admin consent for the Blindata application.

Once this consent is granted, the service principal will appear in the catalog, allowing the administrator to configure permissions and access settings as needed.

Refer to Microsoft’s documentation for troubleshooting login issues:

Note

The configuration outlined in this guide is also applicable for Blindata on-premises and dedicated deployments with custom configurations. Contact your sales representative for technical guidance on configuring your on-premises or dedicated instance.

Authenticating a Daemon App with a Service Principal

To integrate a client (daemon) application with Microsoft Entra ID, set up a service principal, assign application permissions to access Blindata, and configure the OAuth2 client credentials flow for authentication.

Step 1: Create a Service Principal: A service principal is an identity that represents your app in Entra ID, enabling it to authenticate securely and access specified resources. Follow Microsoft’s guidance to register the client app and create a service principal.

Step 2: Assign Application Permissions: In the Entra ID portal, navigate to the app’s registration and assign application permissions (app-only permissions) for the resources your app needs. These permissions allow the app to perform specific tasks without user delegation.

Step 3: Create a corresponding user on Blindata: In Blindata, create a credential with the format: msazure:{client_id}@{tenant_id}, give a meaningfull display name and assign the required permissions.

Step 4: Configure OAuth2 Client Credentials Flow: Use the OAuth2 client credentials flow to authenticate the daemon app. This flow allows the app to authenticate with Entra ID using its client ID and client secret or a certificate, obtaining an access token. This token grants the app access to protected Entra ID APIs based on the assigned permissions.

Additional Resources: For detailed steps on setting up a service principal and configuring permissions, refer to Microsoft’s documentation:

Updated on 05 Nov 2024