Configuring Microsoft Entra ID (Azure AD)
Follow these steps to configure Microsoft Entra ID (formerly known as Microsoft Azure Active Directory) as an external identity provider (IdP) in the Illumio Console's Okta instance via OIDC protocol.
Prerequisites
Ensure that you have entered an email, first name, and last name in your user profile in your Azure AD instance. These fields cannot be empty.
Register Illumio as an application
Log into Entra ID (Azure AD).
In the Azure left navigation panel, click App registrations.
At the App Registrations page, click New registration.
At the Register an application page:
In the Name field, enter a name for your Illumio Console instance. For example, "MyCorp on Illumio".
For Supported account types, select Accounts in this organizational directory only (Single tenant) .
Under Redirect URI, choose Single-page application (SPA) and enter the URI to Illumio Console: https://console.illum.io.
Click Register.
Additional configuration
After you have registered your Illumio Console application as an Entra application, you can see it listed when you click App registrations, then All applications.
At the App registrations page, click your application name (for example,"MyCorp on Illumio") to see more details.
At your application details page, click Authentication.
Confirm that you have entered the proper Redirect URI, and correct it if needed.
Under Implicit grant and hybrid flows, you must enable the ID tokens setting.
Save Configuration Parameters
At the details page for your Illumio Console application, click Settings.
Copy the Client ID setting shown there. You will use this as the Client ID setting when completing your OIDC authentication in the Illumio Console.
Copy the Directory (tenant) ID shown here. This ID will be used as the basis for the Issuer URL setting when completing your OIDC authentication in the Illumio Console, where you will enter the URL in the form: https://-login.microsoftonline.com/tenant_ID/v2.0.
Click Manifest, and at this page use the editor to update the following JSON entries to these values:
"acceptMappedClaims": true "accessTokenAcceptedVersion": 2
Instead of
accessTokenAcceptedVersionyou might seerequestedAccessTokenVersion. Whichever entry is in your manifest, ensure that this entry is set to2.
Configure tokens
Click Token configuration. At this page:
Select ID Token.
Click Add optional claim. Enable email and upn in the list of claims. If available, also enable the option to Turn on Microsoft Graph email permission.
Click Add.
At the Token configuration page, confirm that both email and upn are listed under the Claim column, and they are Token type of ID.
Click API permissions.
When you enabled Microsoft Graph earlier, API permissions should be turned on for email and profile.
Click Microsoft Graph under the API/Permissions name column, and enable the openid permission.
The email and profile permissions should be enabled already.
Click Add.
Custom Claims Mapping
Go to your Entra ID Home, and click Enterprise applications.
From the list of your applications, click the name of your new Illumio Console application (for example, "MyCorp on Illumio").
At the details page for your Illumio Console application, click Properties. Ensure that the Assignment required? option is set to Yes. This setting ensures that when a user logs in, the user is assigned to the target Entra ID application.
Click Single sign-on from the left navigation. At the OIDC-based Sign-on page, under the Attributes and Claims section, click Edit.
On the Manage claim page, enter new claims for firstName and lastName:
Enter the Name (for example, firstName).
Set Source to Attribute.
In Source attribute, choose the menu item user.givenname for thefirstName claim, and user.surname for the lastName claim.
Leave all other options at default values or unspecified.
Click Save after completing each claim.
The next time you log into the Illumio Console, a Microsoft window requests you grant permission. Click Accept.