Skip to main content

Steps to set Entra as an OIDC identity provider:-

1
Log in to Microsoft Entra and navigate to the Identity/Applications/Enterprise applications view within Microsoft Entra.
Microsoft Entra admin center with Enterprise Applications and New Application button
2
Click on New application.
3
Once navigated to a new page, click on Create your own application.
Microsoft Entra admin center showing Create Your Own Application option
4
Provide a name to the application and select “Register an application to integrate with Microsoft Entra ID (App you’re developing)” for the application purpose, then click on the Create button.
5
Select who can use the application from the given options according to your needs and then click on Register.
6
Now navigate to Identity/Applications/App registrations.
7
In the All applications tab, select the application which we created.
Microsoft Entra admin center listing registered apps “test” and “test2”
8
Copy the Application(Client) ID, then click on Endpoints and then copy the OpenID Connect metadata document(Discovery Endpoint).
Endpoints section in Microsoft Entra highlighting OpenID Connect metadata document
9
Navigate to Certificates and Secrets.
10
Click on New client secret, give it a description and select the expiry according to your needs and then click on Add.
11
Copy the value(client secret) and store it, as it won’t be shown again.
Microsoft Entra Certificates & secrets showing new client secret created on March 14, 2024
12
Navigate to the settings page on Cosmo.
Organization settings showing name, slug, and status of AI, RBAC, and SCIM features
13
Give the connection a name, paste the OpenID Connect metadata document copied before, into the Discovery Endpoint, paste the Client ID and Client secret copied before into the Client ID and Client Secret fields respectively, and then click on Connect.
Connecting OpenID Connect provider for specific organization in Cosmo Docs
14
Configure the mapping between the roles in Cosmo and the groups in Microsoft Entra. The field Group in the provider should be populated with the Object ID of a group from Entra. Once all the mappers are configured, click on Save. Every member in those groups would get the respective role configured.
Group mapper configuration showing Cosmo role and provider group fields

Microsoft Entra admin center showing two groups with object IDs listed
15
Copy the sign-in and sign-out redirect URIs displayed in the dialog.
Steps to configure OIDC provider with sign-in and sign-out redirect URLs
16
Navigate back to the App registrations page, in the All applications tab select the app which we created.
17
Click on Add a redirect URI, and now click on Add a platform, select Web and then paste the Sign-in and Sign-out redirect URIs in the Redirect URIs and Front-channel logout URL respectively.
Azure AD registration page highlighting Add Redirect URI button
18
Select ID tokens and then click on Configure.
19
Now navigate to Token configuration, and click on Add groups claim.
20
Select Security groups, expand ID, select Group ID and click on Add.
Microsoft Entra Token configuration showing Security groups claim with Group ID option
21
Navigate to API Permissions, and click on Add a permission.
Microsoft Entra API permissions section for adding Microsoft Graph API access
22
Click on Microsoft Graph, and then on Delegated permissions, select email, openid and profile and then click on Add permissions.
23
Now you can assign users/groups to the application, and only those users will be able to log into Cosmo using the URL provided on setting up the provider.
Microsoft Entra Users and groups section showing Add user/group button
Please make sure that the users added to the application have an email.Steps to add a user:
1
Navigate to Users/All users, click on New User and then click on Create a new user.
Microsoft Entra Users section highlighting Create new user option
2
Provide the user principal name, the display name and then click on Next.
Create new user dialog in Microsoft Entra with principal name and display fields
3
Provide the first name(optional) and the last name(optional).
4
Provide the email of the user(Required).
Microsoft Entra Identity section for new user creation with name and email fields
5
Then click on Next and assign the user to the groups according to your needs.