Azure AD OpenID Configuration

This article will help you on how to integrate Azure AD into Safous ZTNA service as the external Identity Provider for authentication. Before continuing the steps in this article, please ensure you already have:

  • Know the basic information about Safous ZTNA OpenID configuration in here.
  • Have account in Azure AD with these privilege
    • Role Administrator or Global Administrator
    • Enterprise app role permissions to read and update



Azure AD Enterprise Application Configuration:

  1. Go to Azure Active Directory > Enterprise Application
  2. Click on "New Application"
  3. Next click on "Create your own application"
  4. Fill the information about your app name and choose "Integrate any other application you don't find in the gallery (Non-gallery)". Then click "Create"
  5. Next will be open new page for registering the Enterprise Application, but before that you need to change "Redirect URI (optional)" value option into Web. Then click "Register"
  6. Go back to Azure Active Directory, then go to App Registrations where you can find the application that you created previously. Click on the application you created
  7. Choose Expose an API where you need to set "Application ID URI"
  8. Once generate and set, click save and it will became "Application (client) ID" which can be seen in Overview later

  9. Navigate to Authentication and click on "Add a Platform"
  10. Options will open on the right side of web page, then choose Web
  11. You need to enter the the value of Redirect URI this field you need to add the callback URL provided by the User Portal of your tenant (e.g https://login. <tenant> Click "Configure"
    • You might need to change the URL if you have multiple OpenID IDP, which can be seen in the Admin Portal later on
    • Next is to navigate to Certificates & secrets, where you need to create a client secret by clicking "New client secret"
    • Client secret creation options will be open on the right side of the page. In here you need to add description information and choose the expiration of secret. Once decided, click "Add"
    • New secret will be created, please take note of the Client Secret value where you will need it for OpenID registration Admin Portal later
    • Navigate to API permission and verify you have "User.Read" permission already added
    • Last steps on App Registration, you need to navigate to Overview where you need to take notes for these:
      • Application (client) ID
      • Endpoint without "/.well-known/openid-configuration" suffix
    • Lastly you need to add Users or/and Groups in the Enterprise Application that you created for OpenID integration by navigating to "Users and  groups", so those users can login to Safous ZTNA User Portal

    • That complete all necessary configuration in the Azure AD 


    Safous ZTNA Tenant Configuration

    1. login to
    2. Go to Settings tab> ZTNA
    3. In Configurations, choose Identity Provider
    4. It will open the list of identity providers that have been integrated, by default it only has local 
    5. Click on New IDP, which it will expand the form of IDP
    6. Input the name and ensure the status is enable (green)
    7. Ensure you are choosing the OpenID for the identity provider setting
    8. You need to choose and decides which OpenID scopes that you want to enabled, these are some information about those option:
      • openid (required; to indicate that the application intends to use OIDC to verify the user's identity)

      • profile (so you can personalize the email with the user's name)

      • email (so you know where to send the welcome email)

      If you still unsure, we strongly suggest to check/tick all options
    9. Input your OpenID Issuer from Azure AD that you take notes previously in Endpoint
    10. For Name Attribute you can just input "name"
    11. Input your Client ID from Azure AD that you take notes previously in Application (client) ID
    12. Input your Client Secret from Azure AD that you take notes previously in newly created Client Secret
    13. The rest of Safous ZTNA OpenID configuration please refer to here.
    14. Once you done with the configuration, click "Save"
    15. Recheck your "Redirect URI" is it still the same as the one you configured in Azure AD or not by clicking on plus (+) signed of IDP you've integrated

    16. If the "Redirect URI" still the same, you can leave it as is but it is not, you need to changed the one one Azure AD
    17. If everything correctly configured, you can login to the user portal https://users.<xxxx> and check "With IdP", which you will see your OpenID configuration