Documentation
Documentation

Microsoft Entra ID (Formerly Azure AD)

Create an App Registration for the iMIS SSO. Navigate to the Entra admin center and go to Identity > Applications > App registrations.

Client app instructions

Configure an app registration with the following information:

  • Authentication:
    • Account types: Accounts in this organizational directory only.
    • Web Redirect URI: Enter the value from the iMIS SSO Premium form under Redirect URL.
  • Certificates & secrets > Client secrets:
    • Credentials: Generate a Client Secret value and set the expiration time to the maximum (currently 24 months).
    📘

    Note

    You will need to refresh this secret value and update the iMIS SSO Premium configuration when the old secret value expires. Be sure to set a calendar reminder before the expiration date to complete this task.

All other settings can be left at their defaults or ignored. Customize the Branding & properties, since users will see this information during sign-in.

Configuration values

Obtain configuration values for iMIS SSO Premium from the following places:

On the Overview tab of the app registration record in Entra (ensure that the Essentials section at the top of the screen is expanded and visible):

  • Discovery Domain: At the top, click Endpoints, and copy the OpenID Connect metadata document field. Then select Discover...
  • Authorization URL: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the OAuth 2.0 authorization endpoint (v2) field.
  • Token URL: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the OAuth 2.0 token endpoint (v2) field.
  • Userinfo URL: Enter this value exactly: https://graph.microsoft.com/oidc/userinfo
  • Issuer: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the Authority URL (Accounts in this organizational directory only) field, then append /v2.0 to the end of the URL. The URL should look something like this: https://login.microsoftonline.com/00000000-1234-1234-000000000000/v2.0
  • Scopes: Enter this value exactly: openid profile email
  • Client ID: Copy the Application (client) ID value.
  • Client Secret: Copy the client secret value that was generated from the Certificates & secrets tab. If you lost the secret value, delete the old one and generate a new secret value.
  • Enable PKCE: On
  • Enable Response Mode Form Post: Off
  • Enable Token Endpoint Basic Auth: Off

Claims mapping

Map the following claims:

Field Claim Name Location
External ID `oid` ID Token
Username `preferred_username` Access Token
Email `preferred_username` Access Token
First Name `given_name` User Info
Last Name `family_name` User Info