Skip to main content

OpenID provider examples

Introduction to OpenID providers

An OpenID provider is a service that authenticates users and provides information about them to other services. In this guide, we will show you how to obtain the necessary information from some common OpenID providers.

Microsoft Entra as identity provider

OpenID configuration in Microsoft Entra

warning

The following is an example and may be subject to change. For the most recent information, see the Microsoft documentation.

  1. To register an application:

    • Navigate to the Microsoft Entra (formerly: Azure AD) portal.
    • Go to Identity > Applications > App registrations.
    • Select New registration and register a new application.

  2. Go to the Overview section of the registered application to view the Application (client) ID.

  3. To generate a client secret:

    • Go to the Certificates & secrets section.
    • Under Client secrets, click on New client secret to generate a new secret.
    • Note down the value of the client secret as it will not be displayed again.

  4. In the Overview section, select Endpoints to view the OpenID Connect metadata document. The metadata endpoint is usually constructed as https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration. Replace {tenant} with your directory (tenant) ID or your domain name. For more information, see:

Microsoft Entra endpoints

Indicium main administrator

warning

Without user provisioning, users are not automatically created in IAM when they log in for the first time. In that case, make sure that the Microsoft account that tries to log in is already available in IAM, or Indicium will not accept the authentication.

Microsoft Entra uses the concept of tenants. A tenant is a dedicated instance that represents an organization. A tenant is uniquely identified by a GUID.

Aside from each company-specific tenant identified by a GUID, Microsoft defines the following global tenants:

  • consumers - An alias for Microsoft's own tenant GUID. You can see this as Microsoft's own Active Directory containing all personal Microsoft accounts.
  • organizations - An alias for all company-specific tenants together. The authenticated user can come from any tenant that is not known in advance.
  • common - Organizations and consumers. This tenant can contain all Microsoft accounts. The authenticated user can come from any tenant that is not known in advance.

To add a metadata endpoint for an OpenID provider in IAM:

Authorization > OpenID providers > tab Form

  1. Enter an endpoint in the field Metadata endpoint.
  2. If you are using a global tenant instead of a GUID reference to a tenant: select if you want to allow everyone to log in or only users that are known to your organization. See Allow everyone to log in and Limit who can log in.

Endpoint examples

  • To allow only users from your own, singular, Microsoft Entra tenant, use the GUID reference to your tenant. Example:

    https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/.well-known/openid-configuration

    Replace 000000000-0000-0000-0000-0000000000 with the GUID reference of your tenant.

  • To allow all Microsoft accounts (work and personal) to sign in, use the common tenant. In addition, select the Allow all issuers checkbox (see Allow everyone to log in). Example:

    https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

  • To allow any Microsoft work account, use the organizations tenant. In addition, select the Allow all issuers or Allow additional users checkbox (see Allow everyone to log in and Limit who can log in). Example:

    https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration

  • To enable users to sign in with any Microsoft personal account, use the consumers tenant. In addition, select the Allow all issuers checkbox (see Allow everyone to log in). Example:

    https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration

Trusted IP's to bypass 2FA

When using Microsoft as an OpenID provider, you can set trusted IP ranges to bypass two-factor authentication in on-premise environments. So, when working at the office, users will not be prompted for two-factor authentication.

For more information, see the Microsoft documentation on Trusted IPs.

Google Identity Platform as identity provider

OpenID configuration in Google

warning

The following is an example and may be subject to change. For the most recent information, see the Google documentation.

  1. To register an application:

    • Navigate to the Google Cloud Platform.
    • Go to APIs & Services > Credentials.
    • Click on Create credentials and register a new OAuth client ID.

  2. To obtain the Client ID, go to the OAuth 2.0 Client IDs section in the Credentials page.

  3. Alongside the Client ID, a Client Secret is generated. You can view and manage your client secrets under the Credentials section.

  4. The metadata endpoint is usually constructed as https://accounts.google.com/.well-known/openid-configuration. You can enter this URL in the Metadata endpoint field in IAM.

Was this article helpful?