search

Entra ID integration

StifleR can use Microsoft Entra ID as its identity provider to authenticate users and determine access to the StifleR Dashboard. Authentication is performed using OpenID Connect (OIDC), while authorization decisions are based on Entra ID security group membership.

This integration removes the need for local user management in StifleR and allows access to be governed entirely by Entra ID, using the same identities, groups, and policies already in place across the organization.

When a user signs in, Entra ID validates the identity and issues an OIDC token that includes group information. StifleR consumes this information and applies access rules accordingly, ensuring that users only see and manage what they are permitted to.

hashtag
Group-Based Access Model

Access to StifleR is controlled by mapping Entra ID security groups to StifleR access levels.

Common patterns include:

  • A read-only group that allows users to view all Dashboard data without making changes.

  • An administrative group that grants full control over configuration, monitoring, and management features.

These groups are defined and maintained in Entra ID and referenced in the StifleR Service Config Editor. This ensures that access rules are applied consistently for all users authenticating through Entra ID.

hashtag
Centralized Governance and Compliance

Using Microsoft Entra ID as the authentication authority centralizes identity governance for StifleR. All access changes - such as adding users, modifying permissions, or revoking access - are performed in Entra ID and immediately reflected in StifleR at the next login.

This approach simplifies administration, improves auditability, and ensures that StifleR access aligns with organizational security, compliance, and Zero Trust requirements.

hashtag
Configuration

hashtag
Create Entra ID Groups

Log in to the Microsoft Azure Portal, open Microsoft Entra ID, and navigate to Groups.

Create the following security groups:

  • DefaultStifleRRead – global read-only access to all StifleR pages

  • DefaultStifleRAdmins – full administrative access

Groups must be created as Security type.

Add users to each group by opening the group, selecting Members, and clicking Add members.

hashtag
Register the Application

Navigate to App registrations and either select an existing application or create a new one for StifleR.

hashtag
Configure Authentication

Open the application and go to Authentication, then select Add a platform.

Choose Web as the platform type.

Configure the Redirect URI to point to the StifleR Service callback endpoint:

https://[YourDomain]:9000/api/Account/Callback

hashtag
Configure Token Claims

Open Token configuration.

Add a Groups claim and select Security groups so that group membership is included in the OIDC token.

hashtag
Configure StifleR Service

Open StifleR Service Config Editor and update the access settings.

Set Authentication Method to oidc and configure the following:

  • "OIDC Provider name" - Name representing the external OIDC Provider

  • "OIDC Claim type" - String value of External OIDC provider custom application attribute. For EntraID should be "groups", for PingIdentity based on attribute name defined by admin

  • "OIDC Groups with StifleR Global Admin Access" - External OIDC provider security groups that have full admin rights to StifleR. (Define group ID (GUID) instead of name)

  • "OIDC Groups with StifleR Global Read Access" - External OIDC provider security groups have read access to StifleR global data, all locations and all items. (Define group ID (GUID) instead of name)

  • "OIDC Issuer URL": Ping Identity: should be in format 'https://auth.pingone.eu/[EnvironmentID]/as/arrow-up-right ' ending with a slash. Entra ID: Should be in format 'https://login.microsoftonline.com/[TenantID]/v2.0arrow-up-right '

  • "OIDC Client Identifier" - The unique identifier assigned to your application by the OpenID Connect provider.

  • "OIDC Redirect URL" - The URL in your application where the OpenID Connect provider will send the user after completing authentication. This must match one of the redirect URIs registered with your identity provider.It should be in format https://[YourDomain]:9000/api/Account/Callback.

  • "OIDC Dashboard URL" - Full URL to StifleR Dashboard. Should be in format https://[YourDomain]/StiflerDashboard/#.

  • "OIDC Authentication ticket expiration (minutes)" - Expiration time in minutes for OpenID Connect authentication ticket.

Verify and Save the configuration.

Last updated