Example: Configuring Azure OIDC to use with KeyControl Compliance Manager

The following example shows how to configure Azure OIDC to use with KeyControl Compliance Manager for External Authentication using Open ID Connect. You will need to register Entrust KeyControl Compliance Manager as a Microsoft Azure application, then copy the Client Secret, the Application (client) ID, and the base URL from Azure and paste it into KeyControl Compliance Manager.

  1. In Microsoft Azure, click App Registrations in the sidebar.

  2. Click New Registration.

  3. In the Register an application page, enter the name to use for the application and enter the following redirect URIs.

    • Set the Login Redirect URIs for all nodes in the cluster to:

      https://<IP or FQDN of KeyControl Compliance Manager node>/hytrust-authentication-rest/api/v2/login/<tenant>

    • Set the Logout Redirect URIs for all nodes in the cluster to:
      https://<IP or FQDN of KeyControl Compliance Manager node>/hytrust-authentication-rest/api/v2/sso/logout/<tenant>

  4. Click Register.

    After the application is created, you will be taken to the new application page.

  5. Copy the Application (client) ID to a text window for later use.

    This will be the application (client) ID used in KeyControl Compliance Manager.

  6. Click Certificates & secrets in the sidebar to create a client secret.

  7. In the Client secrets section, click New client secret.

  8. In the Add a client secret window, enter a description, set the expiration date, and click Add.

    The new client secret appears in the Client secrets section.

  9. Copy the client secret value to a text window for later use.

    This will be the client secret used in KeyControl Compliance Manager.

  10. Click Token configuration in the sidebar and then click Add optional claim.

  11. In the Add optional claim window, select 'ID' for the token type and 'upn' and 'sid' for the claim.

  12. Click Add.

  13. In the pop-up window, check the 'Turn on the Microsoft Graph profile permission (required for claims to appear in token) checkbox.

  14. Click Overview in the sidebar, and then click Endpoints.

  15. In the Endpoints window, copy the OpenID Connect metadata document (up to and including the v2.0) to a text window to find the OpenID Connect URI or Issuer URI.

    For example, https://login.microsoftonline.com/a995284f-7628-4646-b755-ja0e3c7f0264/v2.0

    Note: This will be the base URL used in KeyControl Compliance Manager.

  16. Close the Endpoints window to return to the Overview page.