Microsoft Entra ID OnPrem

This guide will walk you through the steps required to configure Microsoft Entra ID as a Single Sign-On (SSO) provider in On Premise deployment of Observo using OpenID Connect (OIDC).

Prerequisites

  • Active Entra ID.

  • A running Observo On Premise deployment.

  • Admin access to both Entra ID and Observo.

Steps to Set Up Entra ID as an OIDC Identity Provider in Observo

1. Create an App Registration in Entra ID

You need to create an App registration in Entra ID to enable On Premise Observo to authenticate users.

  1. Log into Azure Portal and Go to Entra ID Service.

  2. Go to App registrations under Manage tab in left Menu.

  3. Click on New Registration.

  4. Provide a user facing display name for the App registration.

  5. Then Select the supported account types who can use this app.

  6. In Redirect URI (optional) section, Keep this empty. We will configure this in later part of this documentation.

  7. Click on Register button to create the App Registration.

2. Retrieve Entra ID Application Credentials and URLs

After creating the app registration in Entra ID, you will need the credentials and URLs for Observo Keycloak configuration.

  1. In the app's Overview section, find Application (client) ID. Note this value as Client ID.

  2. From the top menubar select Endpoints. Note the following endpoints:

    • OAuth 2.0 authorization endpoint (v2) -> Authorization URL

    • OAuth 2.0 token endpoint (v2) -> Token URL

  3. Go to Manage > Certificate & secrets and create a new Client Secret. Note the value of this secret as Client Secret

3. Configure Observo to Use Entra ID as an Identity Provider

Now, configure Entra ID as an Identity Provider in Observo keycloak.

  1. Log into Observo keycloak with Observo Admin users credential. Observo keycloak is hosted in this URL

    http://<ObservoOnPremURL>/observo-auth

  2. Select the realm of your Observo deployment to configure Entra ID SSO. master is the default realm.

  3. In the left-hand menu, click Identity Providers.

  4. From the Add provider dropdown, select OpenID Connect v1.0.

  5. Fill in the following details:

    • Alias: entra-oidc.

    • Display name: (Optional) The name that users will see on the login screen.

    • Turn off the Use discovery endpoint if it's enabled.

    • Authorization URL: Use the Authorization URL from step (2).

    • Token URL: Use: Use the Token URL from step (2).

  6. In the Client Authentication section:

    • Client ID: Paste the Client ID from Entra ID.

    • Client Secret: Paste the Client Secret from Entra ID.

  7. Click Save.

  8. Now go into the newly created Identity Provider and click on Advanced drop down field. Add the openid email profile scopes.

4. Add Redirect URI in Entra ID

After creating the Identity Provider in Keycloak, You need to provide the Redirect URL in Entra ID.

Observo Keycloak

  1. Go the identity provider you just created in keycloak for Entra ID and note Redirect URI from top of the page. It will look something like this

https://<YOUR_DOMAIN>/observo-auth/realms/master/broker/entra-oidc/endpoint

Entra ID

  1. Open the App registration you created in Entra ID.

  2. Go to Manage > Authentication.

  3. Find Platform configurations and click on Add a platform.

  4. Select Web application > Web and provide the Redirect URI from previous step.

You have successfully configured Entra ID as your SSO provider for OnPrem Observo.

5. Add Role Mapper (Optional)

For using the role mapper feature of observo, follow the below steps:

  1. Go to the Realm roles of keycloak and create the roles you want to use in role mapping.

  2. Now go the identity provider and select the Entra ID IdP that created in last step.

  3. We need to create mappers that maps the Entra ID token claims to keycloak roles. Later the keycloak roles will be inserted into token.

  4. Steps to create a Mapper for a Role

    • Select the Mappers tab and click on Add Mapper.

    • Give a name for the new mapper (For example: AdminRoleMapper).

    • Select Sync mode override to Force

    • Use Advanced Claim to Role as Mapper Type.

    • Select on Add Claims and use your Entra ID claim name as Claim Key and regex of claim value.

    • Mark Regex Claim Values if you are using regex in the claim value.

    • Now choose the keycloak realm roles that you want to map with your Entra ID claim.

5. Test the Integration

Once the configuration is saved, test the Entra ID SSO integration.

  1. Access Observo UI.

  2. Select the Observo Entra ID SSO option

  3. Now log in with your Entra ID credentials.

  4. After successful authentication, you should be redirected back Observo UI and logged in.

By following these steps, you should have Entra ID successfully integrated in Observo On Premise deployment.

PreviousOneLoginNextMicrosoft Entra ID OnPrem (SAML)

Last updated

Was this helpful?