Microsoft Entra ID OIDC Integration#

This manual outlines the steps to configure Microsoft Entra ID (formerly Azure AD) as an Identity Provider (IdP) for our AWS Cognito environment using the modern OIDC protocol.

What is AWS Cognito?#

AWS Cognito is a scalable Identity-as-a-Service (IDaaS) solution from Amazon Web Services that we use within Laces for secure identity management. Instead of our application connecting directly to numerous individual systems, Cognito acts as our central identity hub. By using Cognito as a "Service Provider," we can seamlessly federate with external Identity Providers like Microsoft Entra ID. This allows users to sign in securely using their trusted corporate credentials (Single Sign-On), while we ensure uniform access control without storing sensitive passwords.

What is the OIDC protocol?#

OpenID Connect (OIDC) is the modern standard for digital identities, built on top of the OAuth 2.0 framework. While SAML uses XML messages, OIDC utilizes lightweight JSON Web Tokens (JWT). It is the current industry standard for Single Sign-On (SSO) due to its high security and broad support. When a user logs in, Entra ID and Cognito exchange secure tokens to confirm the identity. During this process, login credentials always remain within your own trusted Microsoft environment.

Setup Guide#

Step 1: Create a New App Registration#

Unlike SAML, OIDC is configured via the "App registrations" section.

Log in to the Microsoft Entra admin center.
Navigate to Identity > Applications > App registrations.
Click New registration.
Enter a name (e.g., "Laces Portal").
Under Supported account types, select "Accounts in this organizational directory only (Single tenant)".
Select "Web" as the platform and enter the following Redirect URI: https://cognito.auth.laceshub.com/oauth2/idpresponse
Click Register.

Step 2: Configure Authentication and Redirect URI#

AWS Cognito needs to know where to send the user after a successful login. The Redirect URI in this step contains a placeholder IDP_ID; this code will be shared separately and is customer-specific.

Within the new app registration, go to the Authentication tab.
Under Redirect URIs, click Add a URI.
Enter the secondary Redirect URI: https://auth.laceshub.com/api/oauth2/IDP_ID/idpresponse
Scroll down to the Implicit grant and hybrid flows section.
Check the box for ID tokens (required for the OIDC handshake).
Click Save.

Step 3: Create a Client Secret#

Because OIDC uses a secure "back-channel" connection, a password (secret) is required for the integration.

Navigate to Certificates & secrets > Client secrets.
Click New client secret.
Enter a description (e.g., "Laces Portal Integration") and choose an expiration period.
Important: Copy the Value (not the Secret ID) immediately after saving. This value will become hidden after you leave the page.

Step 4: API Permissions#

To allow the OIDC handshake to exchange identity information, specific permissions must be granted within the App Registration.

Navigate to API permissions > Add a permission.
Select Microsoft Graph and then choose Delegated permissions.
Search for and select the following three permissions:
- openid: Allows the app to sign users in.
- email: Allows the app to read the user's primary email address.
- profile: Allows the app to read the user's basic profile (e.g., name).
Click Add permissions.

Important: If your organization has restricted user consent, a global administrator must click "Grant admin consent for [Organization]" to activate these scopes. Without this consent, users will be unable to complete the sign-in process.

To complete the integration on our side, we require three specific pieces of information. You can find these on the Overview page of your app registration.

Application (client) ID: Found as a unique UUID on the Overview page of the App Registration.
Directory (tenant) ID: Found as a unique ID of your Microsoft environment on the Overview page.
Client Secret (Value): The secret value generated and saved during Step 3.