Azure SSO Configuration User Guide

External IdP Configuration Guide Overview (OIDC)

In order to configure an external OIDC provider for an AWS Cognito user-pool, there must be an exchange of information between both the app (Stratusphere) and the customer organization's system administrator.

Stratusphere will provide these to the system administrator:

• Application Login URL
• Allowed Callback URLs
• Allowed Logout URLs
• Application Logo (optional)

The system administrator must configure their SSO Provider with a new Application representing Stratusphere (and the above values). They must then provide the following (from the SSO Provider's newly registered application) to Stratusphere:

• Domain/Issuer URL
• Client ID
• Client Secret

Note: Each different SSO Identity Provider (Auth0, MS Azure Entra ID, etc) has different configuration screens/steps. This guide is specific for MS Azure Entra ID.

Note: SAML-required fields are different from those required to configure OIDC IdPs. This guide is specific to OIDC configurations.

Customer System Administrator - Azure Entra ID Configuration (OIDC)

Steps for the Customer's System Administrator to create an OIDC Client Application in Azure Entra ID representing Stratusphere:

1. In the Azure management portal, go to "Microsoft Entra ID" service
2. In the side menu, choose "App registrations"
3. Click "New registration"

• Name the new application (e.g. "Stratusphere App")
• Supported account types: Accounts in this organizational directory only
• Add the "Redirect URI"
  • Platform: "Web"
  • URL: https://scip-auth-prd.auth.us-east-1.amazoncognito.com/oauth2/idpresponse

4. Click "Register"

5. Navigate to the new Application registration you created

6. In the "Overview" tab of the registration, note these fields:

• "Application (client) ID" is the the "Client ID" used in Cognito IdP registration
  
• "Directory (tenant) ID" is used to form the Domain/Issuer URL:
  • https://login.microsoftonline.com/{tenant}/v2.0
  • Note: This can be verified in the Endpoints tab of the Registration:
    
    • OAuth 2.0 authorization endpoint (v2) will end in /authorize
    • OAuth 2.0 token endpoint (v2) will end in /token
    • Etc

7. In the “Branding & properties” tab, note these fields

• Add the “Home page Url”
  • https://stratusphere.app/auth

8. To create a new client secret:

• On the side menu, choose "Certificates & secrets"
• Click "New client secret"
• "Description": provide a description (e.g. "Stratusphere App - Client Secret")
• "Expires": the max value is 2 years - "730 days (24 months)"
• Click "Add"
• In the table of "Client secrets", click the "Copy to clipboard" button beside the "Value" of the new secret
  • Note: You only get one chance to copy the value; refreshing the page will mask the majority of the secret's value

Finalize Configuration and Test

Once the Application registration has been created and the secret has been configured in the Azure portal, please reach out to support at support@stratusphere.app. We will set up a 15min call to finish configuration and test the integration.

Please be prepared to provide the following values (from above) to the Stratusphere support team during the call (none of these values will be stored outside of the secure storage in the production SSO service):