Using Microsoft Entra ID

Microsoft Entra ID (formerly known as Azure AD) supports OIDC, so it can be used to facilitate single sign-on (SSO) with the Drillster platform. A few things need to be taken into account when configuring the client application.

Enable ID tokens

ID tokens are used to verify the identity of the user. By default, they are not enabled. To enable them for your app registration, under “Implicit grant and hybrid flows”, select the “ID tokens” (used for implicit and hybrid flows) checkbox.

Configure custom identity claim

The standard claim in the ID token that OIDC uses to identify the user is the sub claim. However, Entra ID populates this with a value that is not useful in most situations. Typically, you want to use an ID such as an employee ID to identify the user. To do this, you need to configure your app registration to include a custom claim to the ID token, that contains the desired user ID. Then, you need to provide the name of this custom claim to Drillster, so they know which claim to use to identify the user.

Please be aware that it is your responsibility to ensure that all Drillster accounts have the ID configured as a third party ID. Accounts that don’t have the ID configured will not be able to use OIDC SSO.

It is discouraged to use an email address as ID. Email addresses can typically be changed. A changed email address will break SSO for the user if the change isn’t made in the user’s Drillster account promptly. It is therefore strongly recommended to use an ID that is unique, immutable and never reused. In most cases, an employee ID meets these requirements.

When you configure custom claims for the ID token, Entra ID requires you to configure an application-specific signing key, which it will use to sign the ID token, instead of a default signing key. If you fail to configure this, the following error will cause the SSO process to fail:

AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not 
configured with one, or the key has expired or is not yet valid. 

If you don’t want to configure an application-specific signing key, you can also modify the manifest:

"acceptMappedClaims": true
"accessTokenAcceptedVersion": 2

 

Last updated on