Versions Compared

Old Version 2

changes.mady.by.user Daylan Araz

Saved on

compared with

New Version Current

changes.mady.by.user Sandro Camastral

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page provides documentation on integrating an Identity Provider (IdP) with Unique's authentication system, enabling a seamless and secure SSO experience for the users. Unique uses Zitadel as its Identity and Access Management (IAM) solution and various IdPs can be connected to it for allowing users to login via Single Sign-On.

...

After the app registration has been created, navigate to the “Authentication” section and make sure the “Access tokens” and “ID tokens” setting is settings are selected. This is to ensure that the Access token and ID token is are issued and sent along when a user uses SSO to login to Unique.

...

  • ID token → contains information about the user (name, email, group IDs)

  • Access token → used for making an additional Microsoft GraphAPI request to get the group names

...

Token configuration

Next navigate to the “Token configuration” section and add necessary claims to the token. This is to ensure that the needed claims are sent on the ID token.

If you want to be able to sync your user groups from Azure to Unique, make sure to also add the groups claim as shown in the second screenshot below. What kind of groups you want to include on the groups claim is ultimately up to you. Unique recommends to include only the groups assigned to the application in order to have more control over what groups are synced and avoid exceeding the limit on the number of groups that can be included on the ID token.

...

API permissions

Under the “API permissions” navigation entry you need to configure the correct permissions for the Microsoft Graph API. The permissions should include:

  • email

  • openid

  • profile

  • User.Read

  • GroupMember.Read.All

Info

The GroupMember.Read.All permission (https://learn.microsoft.com/en-us/graph/permissions-reference#groupmemberreadall ) requires admin consent to be enabled. This permission is needed to query the group names via the Microsoft Graph API on behalf of the user. The ID token groups claim includes only the groups' IDs and to be able to sync the user’s Entra ID groups to Unique we require an ID and a name.


For more information on the syncing of user groups, refer to this page: User Provisioning

...

The GroupMember.Read.All permission needs to be manually added. This can be done by clicking on the “+ Add a permission” button on the top of the list. Select the “Microsoft Graph” API and choose the “Delegated permissions” tab on top. This allows the Unique solution to query the group names for the group IDs received in the groups claim on the ID token.

Make sure that the status column indicates “Granted for …” for all the added API permissions. The GroupMember.Read.All permissions requires explicitly granting admin consent by using the “Grant admin consent for …” button above the permission list.

Screenshot 2024-06-18 at 12.15.55-20240618-101622.pngImage AddedScreenshot 2024-06-18 at 12.17.40-20240618-101805.pngImage Added

Certificates & secrets

After the application has been registered and configured, create a Client Secret by navigating to “Certificates & secrets” and copy the value of the secret. The secret is only visible once and is needed in order to setup SSO with Unique.

...

If you are running on a Unique managed environment (Multi- or Single-tenant), then this is all you need. Provide these values to Unique in a secure way (sensitive client credentials) and Unique will take care of enabling SSO for your organization.

...