Entra ID single sign-on setup
Entra ID (Azure AD) integration setup
-
Create a new App registration in your Azure AD portal:
-
Choose Single tenant account type:
-
Copy the Application (client) ID and Directory (tenant) ID from Azure to Ciso:
-
Enter these in Ciso under the Settings menu > Global Settings > Azure AD:
-
Next, copy the Redirect URI from Ciso and enter it in the Azure App Registration: Authentication > Add platform > Web > Redirect URI
-
Next, add the following permissions to the application: Manage > API permissions > Add a permission. NOTE: Make sure both Delegated and Application permissions are added!
-
Finally, create a new Client Secret in Azure, and copy it to Ciso Certificates & secrets > Client secrets > New client secret:
-
Copy the Value of the generated secret (not the ID) and paste it to the client secret field in Ciso. Note this value is only shown once! If you lose it, or when it expires, you will have to create a new secret and repeat this step!
-
Copy to Ciso:
-
Everything is now setup for new users in your domain to log in to Ciso, and you should see a new option in the login screen for this:
Notes
New users who have not previously been given any specific role in Ciso will get the default permission role defined in Ciso under Organization > Roles & Permissions. You can change thus by unlocking the role table and selecting another role as default.
If you want to restrict default Ciso access to a limited group of users only, you can add a security group id in the Ciso Azure settings. Note that this requires you to delegate the GroupMember.Read.All API permission to the Ciso app registration in your Azure settings.
Permissions
In order to see which users have access to Ciso through Entra ID you need to give your application permission to make certain Microsoft Graph API calls. In the Entra ID menu, select "App registrations", then find the app registered for Ciso. Select "API permissions" and add the following application permissions:
- GroupMember.Read.All
- User.Read.All