Microsoft Entra ID custom OIDC federation guide
Last updated on
Set up a custom OpenID Connect (OIDC) federation with Microsoft Entra ID (formerly Azure Active Directory). The STACKIT IdP acts as the Relying Party (RP), and your Microsoft Entra ID tenant acts as the Identity Provider (IdP).
User account creation behavior
Section titled “User account creation behavior”OIDC federations in STACKIT can be configured to create users automatically at first successful login (also known as JIT user creation), depending on your onboarding requirements.
- Auto creation enabled: Users are created on first successful OIDC login if they don’t already exist.
- Auto creation disabled: Users must already exist (for example, through SCIM provisioning or manual setup) before they can log in.
Define your preferred mode during onboarding so the federation can be configured accordingly.
Step 0: Create an application
Section titled “Step 0: Create an application”To configure this federation with Entra ID, complete the following steps:
- Create Microsoft Application: You need to create the application on Microsoft in order to obtain the required credentials to set up the federation.
When creating the client, the redirect URL ishttps://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-apphttps://accounts.stackit.cloud/ui/login/login/externalidp/callback
- Token claims: The application will need to configure the token in “Token configuration” with the following claims:
- Token type: ID
- Claims checked:
- family_name
- given_name
- preferred_username
- Permissions: In order to retrieve userinfo we will need the following permissions from “API permissions” panel:
- profile
- User.Read
- openid (usually found in “Other permissions granted for…”)
Step 1: Open a support ticket
Section titled “Step 1: Open a support ticket”Open a support ticket with the following information:
General information
- Federation type: OpenID Connect (OIDC)
- Reason for integration: Brief explanation (for example, “Enable SSO using Entra ID”)
- Email domains: All primary and secondary email domains your employees use with Entra ID (for example,
@example.organd@foobar.com) - User account creation mode:
Auto creation enabledorAuto creation disabled
OIDC-specific information
| Required field | Description | Example input |
|---|---|---|
| Client ID | ID assigned to STACKIT service in your Entra ID application registration in Step 0 | Application (client) ID |
| Client secret | Secret key generated for the Client ID | Provide securely |
| Scopes | Required permissions (at least openid required) | openid email profile |
| Tenant ID | Unique GUID for your organization’s specific tenant | 123e4567-e89b-12d.... |
Step 2: Verification
Section titled “Step 2: Verification”Confirm the federation works and report back to us with the results or any problems you face.
Optional next step: Enable provisioning
Section titled “Optional next step: Enable provisioning”If you also want automated user and group synchronization from Microsoft Entra ID, continue with the Microsoft Entra ID custom SCIM provisioning guide.
Changing federation type
Section titled “Changing federation type”If you have an existing federation using a different protocol and switch to OIDC with Microsoft Entra ID, the transition is seamless. As long as email addresses remain the same, users won’t lose access or data. User accounts are tied to email addresses, not federation methods.