Skip to main content
This page walks through how to configure Single Sign-On (SSO) and automated user/group provisioning between Microsoft Entra and the Airia platform, including Just-In-Time (JIT) provisioning. The instructions are intended to be followed by IT administrators or technical staff setting up SSO and provisioning for their organization. Before rolling out SSO broadly, we recommend setting up SCIM provisioning in your identity provider to limit access to a smaller test group before expanding to all users.

Before You Begin

To complete this configuration, the individual will require the necessary permissions within Microsoft Entra and also be a Platform Admin within the Airia platform.

Registering the Airia Application in Identity Provider

In order to connect to Airia via SSO, please first register the Airia application with your identity provider to enable SSO.

Create an Application Registration

1

In your identity provider (Microsoft Entra), create a new app registration for the Airia platform.

2

Take note of  the Application Registration (client) ID and Client Secret as this will not be visible later

Generate a new one, if needed and make note of the expiration date

 Configure Redirect URI:

1

Under the app registration, navigate to the authentication configuration area.

2

Under the Platform Configurations heading, select ‘Add a Platform’.

3

Add a Web platform and enter the Redirect URI provided by Airia.

To obtain this, navigate to the Airia Platform > Settings > SSO & Provisioning. Turn on SSO, enter your Display name and press return to generate the Redirect URI). Display name should be unique and something that identifies the app registration in Entra
4

Save the changes by selecting ‘Configure’. 

Obtain the Discovery Endpoint or OpenID Connect Metadata:

1

From the Airia app registration overview, head to the Endpoints tab.

2

Locate and copy the Discovery Endpoint to facilitate the endpoint mapping into the Airia platform.

This is typically the second from bottom URL and follows this format: https://login.microsoftonline.com//.well-known/openid-configuration.
3

Alternatively, to manually configure this, make note of the app URL metadata as this will be used to populate the Airia SSO configuration.

Configuring SSO in the Airia Platform

Now you have created the application within Entra, navigate to Airia to complete the SSO configuration within the Airia platform.

Insert the Discovery Endpoint

  1. In the Airia SSO setup, the recommended path to take is to use the discovery endpoint method. If you have the Entra Discovery Endpoint, paste it into the Discovery endpoint field.
  2. If opting to use Custom Configuration, select that header and complete the fields with the information from the Entra OpenID Connect Metadata.
    1. Authorization URL
    2. Token URL
    3. Logout URL
    4. User Info URL
    5. Issuer
    6. Validation method
    7. PKCE
 

Enter Client ID and Secret:

Input the Application ID and the Client Secret that was created in previous step.

Set Domains for Auto-Discovery:

Specify your organization’s domain(s).

 Set Default Role:

  • For this, we suggest using the ‘End User’ role for an approach of least privileges.
    1. Platform Admin – complete access to the admin console.
    2. Admin – limited admin access to build agents but excludes access to functionality such as SSO, Account management and other Platform Admin privileges.
    3. End User – only accesses the agent catalogue to see deployed agents.

 Review & Save SSO settings:

Review your settings and save the configuration.