Azure AD via OIDC

Azure AD supports OIDC as a protocol for implementing SSO across applications. It allows developers to integrate OIDC-based authentication and authorization into applications such as Mindful, making it easier to manage user identity and access across multiple platforms and services.

This section covers the Azure AD SSO integration with OIDC. Topics covered:

  • Setting up OIDC in AzureAD
  • Generating a Client Secret
  • Adding group claims to the application
  • Adding application roles to OIDC
  • Assigning users to OIDC
  • Configuring your Mindful Organization
  • Adding Role Mappings

Set up OIDC in Azure AD

  • Navigate to Azure Active Directory > App Registrations and click New Registration.

image of the app registrations menu

image of the register an application page

  • Here we configure the application's Redirect URI. Contact the Mindful Support team for the correct URI.
  • Create the application. Once the application has been created, take note of the Application (client) ID and the Directory (tenant) ID. Both will be used later for the client ID and issuer, respectively.

example of important identifiers

  • Navigate to your OIDC application and click Certificates & secrets.
  • Next, click New Client Secret.
  • Copy the value of the generated client secret.
Important: The Client Secret will be used later and cannot be retrieved again without regenerating another secret.

image highlighting the client secret

Generate a Client Secret

  1. Navigate to your OIDC application from Azure Active Directory > App Registrations.
  2. Click Certificates & secrets, then click New Client Secret.
  3. Enter a description and an expiration date (defaults to six months).
  4. Copy the value of the generated secret (not the secret ID) as this will be used later and cannot be retrieved again without regenerating another secret.
    • Store this value somewhere secure for reference later (If you missed this step you can delete the current secret and generate another in order to copy the value).

image showing an inaccessible OIDC secret

Add Group Claims to the application

  1. Navigate to your OIDC application.
  2. Click Token Configuration.
  3. Click Add groups claim and make sure the following is selected. This should allow the groups claims to come across in the ID token, Access Token and SAML attributes.

image of group claims

Add Application Roles to OIDC

  1. From your Azure active directory, select App registrations.
  2. Navigate to your application.
  3. Click App roles, then click Create app role. Make sure Allowed member types is Users/Groups or Both.

image of the edit app role window

Assign Users to OIDC

  1. Navigate to Enterprise Applications > Your application.
  2. Click Assign users and groups, then click Add user/group.
  3. Select the user or users you wish to assign the role.
  4. Select the application role you wish to assign to the user or users. This can be the default user role if using groups.
  5. Click Assign.

image of the role selector

This will add another row to the users and groups list. You should see the new row with your assigned role.

Configure your Mindful Organization for OIDC using Azure AD

Now it's time to link the Mindful Organization to your Azure AD OIDC application. This step can only be performed by Mindful staff.

Add Role Mappings (Azure AD Group to Mindful)

Now you need to map your Azure AD Group to Mindful roles.

  1. Click Add Role Map.
  2. If you are using Azure AD Groups: For Name, enter the Group ID of the group you created in Azure AD. The Group ID can be found by going to Azure > Groups. Select the group and look for an Object ID field. This is the UUID (aka Group ID) for the group. If you are using Azure Application Roles, enter the name of the role you created and assigned to your users.
  3. For Roles, enter the role or roles that the user will be assigned when they log in with a matching Role name.
  4. If more roles are necessary to map, add those as well. Make sure to click Save to keep your changes.