iMIS Power Suite - SSO Premium
Microsoft Entra ID (Formerly Azure AD)
Create an App Registration for the iMIS SSO. Navigate to the Entra admin center and go to Identity > Applications > App registrations.
Client app instructions
Configure an app registration with the following information:
- Authentication:
- Account types: Accounts in this organizational directory only.
- Web Redirect URI: Enter the value from the iMIS SSO Premium form under Redirect URL.
- Certificates & secrets > Client secrets:
- Credentials: Generate a Client Secret value and set the expiration time to the maximum (currently 24 months).
Note: You will need to refresh this secret value and update the iMIS SSO Premium configuration when the old secret value expires. Be sure to set a calendar reminder before the expiration date to complete this task.
- Credentials: Generate a Client Secret value and set the expiration time to the maximum (currently 24 months).
All other settings can be left at their defaults or ignored. Customize the Branding & properties, since users will see this information during sign-in.
Configuration values
Obtain configuration values for iMIS SSO Premium from the following places:
On the Overview tab of the app registration record in Entra (ensure that the Essentials section at the top of the screen is expanded and visible):
- Discovery Domain: At the top, click Endpoints, and copy the OpenID Connect metadata document field. Then select Discover...
- Authorization URL: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the OAuth 2.0 authorization endpoint (v2) field.
- Token URL: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the OAuth 2.0 token endpoint (v2) field.
- Userinfo URL: Enter this value exactly:
https://graph.microsoft.com/oidc/userinfo - Issuer: Should be auto-populated from the discovery document. Or, at the top, click Endpoints, and copy the Authority URL (Accounts in this organizational directory only) field, then append
/v2.0to the end of the URL. The URL should look something like this:https://login.microsoftonline.com/00000000-1234-1234-000000000000/v2.0 - Scopes: Enter this value exactly:
openid profile email - Client ID: Copy the Application (client) ID value.
- Client Secret: Copy the client secret value that was generated from the Certificates & secrets tab. If you lost the secret value, delete the old one and generate a new secret value.
- Enable PKCE: On
- Enable Response Mode Form Post: Off
- Enable Token Endpoint Basic Auth: Off
Claims mapping
Map the following claims:
| Field | Claim Name | Location |
|---|---|---|
|
External ID |
|
ID Token |
|
Username |
|
Access Token |
|
|
|
Access Token |
|
First Name |
|
User Info |
|
Last Name |
|
User Info |