Configure Microsoft Entra ID for OpenID Connect

Secure Access supports the use of the OpenID Connect (OIDC) protocol to authenticate and authorize requests from user devices on networks or network tunnels with internet security enabled. Secure Access can also use OIDC to authenticate requests for private resources from user devices that connect with Zero Trust Access (ZTA).

To enable Secure Access to authenticate with OIDC, you must set up the integration of an OIDC identity provider (IdP) in Secure Access. On the organization's instance of Entra ID, configure an Entra ID OIDC app. Then to complete the integration, add the OIDC IdP metadata in Secure Access.

For information about provisioning an organization's users from Entra ID in Secure Access, see Provision Users and Groups from Microsoft Entra ID.

Note: You cannot use the Microsoft Entra ID SAML app to integrate OpenID Connect with Secure Access.

Table of Contents

• Prerequisites
• Procedure

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.
• Configure an OpenID Connect app integration in your instance of Microsoft Entra ID. For information about configuring an OIDC app with Entra ID, see the Microsoft Entra ID documentation.

Bypass Domains from SSL Decryption

We recommend that you bypass certain domains on the secure web gateway. For more information, see Manage Internet Security Bypass.

To exclude a domain from Secure Access SSL Decryption, add the following domain names to the list of bypassed domains:

• login.live.com
• login.microsoftonline.com
• msauth.net
• msftauth.net

Procedure

• Step 1 – Choose an Authentication Method
• Step 2 – Add an Identity Provider
• Step 3 – Configure the Identity Provider's OIDC Metadata
• Step 4 – Add the OIDC Metadata in Secure Access

Step 1 – Choose an Authentication Method

For the authentication method, choose OpenID Connect (OIDC). For more information, see Add SSO Authentication Profiles.

1. Navigate to Connect > Users and User Groups, and then click Configuration management.

   

2. Navigate to SSO authentication, and then click Add SSO authentication.

   

3. For SSO Authentication Name, enter a unique name for the SSO authentication profile.

   

4. For Authentication Method, click Security Assertion Markup Language (SAML).

   

5. For User Directory, choose the directory for the cloud IdP that provisions the users and groups.

   

6. Click Next.

Step 2 – Add an Identity Provider

Select the Azure SSO authentication IdP, copy the redirect URI for the Relying party (Secure Access), and optionally choose how often a user will be required to authenticate with Secure Access.

Save the Redirect URI and use this URI to configure the Entra ID OIDC app. For information about the Secure Access Redirect URI, see Configure Integrations with OIDC Identity Providers.

1. For Select a Provider, choose Azure.

2. For Redirect URI, click Copy.
   Save the URI (https://fg.id.sse.cisco.com/gw/auth/oidc/callback). You will use this URI when you set up the integration of Secure Access in the Entra ID OIDC app.

   

3. (Optional) For IdP authentication frequency, choose a time interval when a user must authenticate with Secure Access, or select Never.
   The time intervals are: Daily, Weekly, or Monthly.

4. Click Next.

Step 3 – Configure the Identity Provider's OIDC Metadata

For information about configuring an Entra ID OIDC application, see the Microsoft Entra ID documentation.

• Step 3a – Add the Secure Access Redirect URI in Entra ID
• Step 3b – Get the Client ID and Secret for Entra ID OIDC
• Step 3c – Get the Tenant ID for Entra ID OIDC

Step 3a – Add the Secure Access Redirect URI in Entra ID

Add the Secure Access Redirect URI in the Entra ID OIDC app.

1. Sign into your instance of Entra ID, and navigate to the Entra ID OIDC Application.

2. Navigate to OIDC Application > Manage > Authentication.

3. Navigate to Platform configurations > Web.

4. For Redirect URIs, enter the Secure Access Redirect URI that you copied in Step 2. For more information, see Step 2 – Add an Identity Provider.

   

Step 3b – Get the Client ID and Secret for Entra ID OIDC

1. Sign into your instance of Entra ID, and navigate to the Entra ID OIDC Application.

2. Navigate to OIDC Application > Overview, and then copy your application ID.
   You will use the application ID to configure the client ID for the IdP integration in Secure Access.

3. Navigate to OIDC Application > Manage > Certificates and secrets.

4. Click Client secrets.

5. Navigate to Value and copy the secret.
   You will use the secret to configure the client secret for the IdP integration in Secure Access.

   

Step 3c – Get the Tenant ID for Entra ID OIDC

1. Sign into your instance of Entra ID, and navigate to the Entra ID OIDC Application.

2. Navigate to OIDC Application > Overview, and then navigate to Essentials.

3. Navigate to Directory to get your tenant ID.

   

4. Create the OIDC configuration URL substituting your tenant ID for tenantId in the URL.

   https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration
   

5. When you set up the Entra ID integration in Secure Access, add the OIDC configuration URL that you created.

Step 4 – Add the OIDC Metadata in Secure Access

Note: If you update the client's secret in the Entra ID OIDC app, you must reenter the Client Secret in Secure Access.

1. In Secure Access, complete the configuration of the Entra ID OIDC IdP integration.
2. Gather your Entra ID Client ID and secret. For more information, see Step 3b – Get the Client ID and Secret for Entra ID OIDC.
3. For Client ID, enter the application ID from the Entra ID ODIC app.
4. For Client Secret, enter the client's Secret that you generated in the Entra ID OIDC app.
5. Get your Entra ID OIDC configuration URL. For more information, see Step 3c – Get the Tenant ID for Entra ID OIDC.
6. For OIDC Configuration URL, enter the OIDC configuration URL that you created with the metadata from the Entra ID app.
   Note: After you enter the OIDC configuration URL, Secure Access enables the Get configuration.
7. (Optional) Click OIDC Configuration URL is not available if the OIDC URL is not known.
8. For Authorization endpoint, Token endpoint, and JWKS endpoint, click Get configuration to use the OIDC configuration URL to retrieve the OIDC authorization API endpoint data.
   Note: If the OIDC configuration URL is not available, enter the values for Authorization endpoint, Token endpoint, and JWKS endpoint manually.

9. Click Done.

Configure Okta for OpenID Connect < Configure Microsoft Entra ID for OpenID Connect > Configure Integrations with SAML Identity Providers