Skip to content

Microsoft Entra ID Integration

Microsoft Entra ID is used to authorize users based on group membership.

The authorization is done based on the object identifier in the authorization token.

LAAVAT PKI and Signing Platform uses OAuth2 Implicit grant flow to fetch data from the MS Graph API. Client credentials are used first to get an access token, and then user data is fetched using the access token.

Once application credentials are created follow instructions on the chapter: Secure credentials transfer to LAAVAT.

Creating application

In the Microsoft Entra ID tab of the Azure portal, create a new app registration.

Name the new application appropriately. In the 'Who can use this application or access this API?' dialog, select the single-tenant option. (Only accounts from this organization can access the application). Redirect URL is added in the form of https://app.laavat.io/<CustomerName>/api/v1/auth/callback and https://app.laavat.io/<CustomerName>/gui/callbackgui

After creating the app, record the Application (client) ID and Directory (tenant) ID in the registration form.

In the Certificates & Secrets tab of the application, create a new client secret. Choose a preferred expiration time for the secret.

Token configuration

The application needs additional information about the user, so an optional claim for upn (User Principal Name) must be added.

Select "Add optional claim" and select ID as the Token type. Then select upn field. Press Add. If there are additional questions, select Yes or Allow.

API permissions

The application uses Microsoft Graph API endpoint user: checkMemberGroups See documentation.

To access this API, the application needs the API permissions User.Read.All and GroupMember.Read.All. These permissions must be application type (not delegated). An admin consent is required to activate these permissions.

Expose an API

To enable the Azure CLI to request tokens for the service, an API must be exposed.

Click a Add a scope link. Click save and continue to accept proposed Application ID URI.

On Add a scope blade type in following information. You can modify names and description fields, if needed.

Scope name: Signing.Access Who can consent: Admins only Admin consent display name: Signing Admin consent description: Access to LAAVAT PKI and Signing Platform

Click Add scope-button.

In the Authorized Client Applications, add Azure cli which has an ID of 04b07795-8ddb-461a-bbee-02f9e1bf7b46 for this scope.

Support of cloud-native Service Principals

For cloud-native Service Principals to access LAAVAT PKI and Signing Platform API, this application needs the API permissions Directory.Read.All. These permissions must be application type (not delegated). An admin consent is required to activate these permissions. One use case of cloud-native Service Principal is creating Service Principal for Jenkins instance. This way, the LAAVAT PKI and Signing Platform API can be accessed without interactive login.