# Entra ID integration

StifleR can use **Microsoft Entra ID** as its identity provider to authenticate users and determine access to the StifleR Dashboard. Authentication is performed using **OpenID Connect (OIDC)**, while authorization decisions are based on Entra ID security group membership.

This integration removes the need for local user management in StifleR and allows access to be governed entirely by Entra ID, using the same identities, groups, and policies already in place across the organization.

When a user signs in, Entra ID validates the identity and issues an OIDC token that includes group information. StifleR consumes this information and applies access rules accordingly, ensuring that users only see and manage what they are permitted to.

## Group-Based Access Model

Access to StifleR is controlled by mapping Entra ID security groups to StifleR access levels.

Common patterns include:

* A **read-only group** that allows users to view all Dashboard data without making changes.
* An **administrative group** that grants full control over configuration, monitoring, and management features.

These groups are defined and maintained in Entra ID and referenced in the StifleR Service Config Editor. This ensures that access rules are applied consistently for all users authenticating through Entra ID.

## Centralized Governance and Compliance

Using Microsoft Entra ID as the authentication authority centralizes identity governance for StifleR. All access changes - such as adding users, modifying permissions, or revoking access - are performed in Entra ID and immediately reflected in StifleR at the next login.

This approach simplifies administration, improves auditability, and ensures that StifleR access aligns with organizational security, compliance, and Zero Trust requirements.

## Configuration

### Create Entra ID Groups

Log in to the **Microsoft Azure Portal**, open **Microsoft Entra ID**, and navigate to **Groups**.

<figure><img src="/files/zt489fFQcMKwIYfMoDUl" alt=""><figcaption></figcaption></figure>

Create the following security groups:

* **DefaultStifleRRead** – global read-only access to all StifleR pages
* **DefaultStifleRAdmins** – full administrative access

Groups must be created as **Security** type.

<figure><img src="/files/CXvcif3bEvBdVGwYjLll" alt=""><figcaption></figcaption></figure>

Add users to each group by opening the group, selecting **Members**, and clicking **Add members**.

<figure><img src="/files/1roxDmNHCk3GBnYXSkoh" alt=""><figcaption></figcaption></figure>

***

### Register the Application

Navigate to **App registrations** and either select an existing application or create a new one for StifleR.

<figure><img src="/files/FTiDsFynHXN6K5hRUvv9" alt=""><figcaption></figcaption></figure>

***

### Configure Authentication

Open the application and go to **Authentication (Preview)**, then select **Add Redirect URI**.

<figure><img src="/files/mngfcFGh1tYTrLYrcQfs" alt=""><figcaption></figcaption></figure>

Choose **Web** as the platform type.

<figure><img src="/files/SLg1KhsVG3UIFqbmQh9z" alt=""><figcaption></figcaption></figure>

Configure the **Redirect URI** to point to the StifleR Service callback endpoint:

https\://\[YourDomain]:9000/api/Account/Callback

<figure><img src="/files/K12Q6cQ2nIbVBsS7j6FJ" alt=""><figcaption></figcaption></figure>

***

### Configure Token Claims

Open **Token configuration**.

<figure><img src="/files/jt42igAn1kVZ7wj6EeI7" alt=""><figcaption></figcaption></figure>

Add a **Groups claim** and select **Security groups** so that group membership is included in the OIDC token.

<figure><img src="/files/9VkCQ9ahWjnR1DuLU5Gs" alt=""><figcaption></figcaption></figure>

***

### Configure StifleR Service

Open **StifleR Service Config Editor** and update the access settings.

Set **Authentication Method** to oidc and configure the following:

* **"OIDC Provider name"** - Name representing the external OIDC Provider
* **"OIDC Claim type"** - String value of External OIDC provider custom application attribute. For EntraID should be "groups", for PingIdentity based on attribute name defined by admin
* **"OIDC Groups with StifleR Global Admin Access"** - External OIDC provider security groups that have full admin rights to StifleR. (Define group ID (GUID) instead of name)
* **"OIDC Groups with StifleR Global Read Access"** - External OIDC provider security groups have read access to StifleR global data, all locations and all items. (Define group ID (GUID) instead of name)
* "**OIDC Issuer URL"**: Ping Identity: should be in format '[https://auth.pingone.eu/\[EnvironmentID\]/as/](https://auth.pingone.eu/%5BEnvironmentID%5D/as/) ' ending with a slash. Entra ID: Should be in format '[https://login.microsoftonline.com/\[TenantID\]/v2.0](https://login.microsoftonline.com/%5BTenantID%5D/v2.0) '
* **"OIDC Client Identifier"** - The unique identifier assigned to your application by the OpenID Connect provider.
* **"OIDC Redirect URL"** - The URL in your application where the OpenID Connect provider will send the user after completing authentication. This must match one of the redirect URIs registered with your identity provider.It should be in format https\://\[YourDomain]:9000/api/Account/Callback.
* **"OIDC Dashboard URL"** - Full URL to StifleR Dashboard. Should be in format https\://\[YourDomain]/StiflerDashboard/#.
* **"OIDC Authentication ticket expiration (minutes)"** - Expiration time in minutes for OpenID Connect authentication ticket.

Verify and Save the configuration.

<figure><img src="/files/UjrzwJBEguyvrDwMAAGi" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.2pintsoftware.com/stifler/configuration/entra-id-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.