You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/docs/idp.md
+80-69Lines changed: 80 additions & 69 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -73,6 +73,86 @@ Follow these steps to configure and register your Identity Provider:
73
73
74
74

75
75
76
+
## Connecting Microsoft Entra ID as an Identity Provider
77
+
78
+
This guide specifically details the process for configuring [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) (formerly Azure Active Directory) as an Identity Provider.
79
+
80
+
### Prerequisites
81
+
82
+
Before you begin the Identity Provider connection process, ensure you have the following:
83
+
84
+
-**Access to AGNTCY Identity Service:** You must have an administrator role or sufficient permissions within the AGNTCY Identity Service application to access the Settings and connect Identity Providers.
85
+
-**Microsoft Azure Account:** An active [Microsoft Azure](https://portal.azure.com/) account with access to Microsoft Entra ID (formerly Azure Active Directory).
86
+
-**Entra ID Application Details:** You must have an application registered in Microsoft Entra ID with the Microsoft Graph API [`Application.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#applicationreadwriteall) permission (granted as Application permission with admin consent). From this app registration, you will need to retrieve:
87
+
- Your **Tenant ID** (Directory ID)
88
+
- The **Client ID** (Application ID)
89
+
- A **Client Secret** (application secret value)
90
+
91
+
If you need to set up your application, follow the [Entra ID Application Configuration](#entra-id-application-configuration) steps below. If your application is already configured, jump directly to [Identity Provider Connection Steps](#identity-provider-connection-steps-1).
92
+
93
+
### Entra ID Application Configuration
94
+
95
+
If you already have your Entra ID Application Details, you can skip this section and jump directly to [Identity Provider Connection Steps](#identity-provider-connection-steps-1).
96
+
97
+
If you need to set up your Entra ID application from scratch, follow these steps:
98
+
99
+
1.**Create App Registration:** Follow the [Microsoft Entra ID App Registration documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) to register a new "Web" application (though any type supporting client credentials will work).
100
+
101
+
2.**Configure Microsoft Graph API Permissions:**
102
+
- Navigate to **API permissions** in your app registration
- This allows AGNTCY Identity Service to create and manage application registrations for your agentic services
108
+
109
+
3.**Create Client Secret:** Follow the [Microsoft documentation on adding credentials](https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-credentials?tabs=client-secret) to create a client secret. Save the value securely (it will only be shown once).
110
+
111
+
4.**Gather Required Information:**
112
+
-**Tenant ID** (Directory ID) - found in your app registration overview
113
+
-**Client ID** (Application ID) - found in your app registration overview
114
+
-**Client Secret** - the value you created in step 3
115
+
116
+

117
+
118
+
:::warning[Important: Replication Delay]
119
+
Microsoft Entra ID uses a globally distributed architecture. After creating applications or service principals, there may be a brief replication delay (typically seconds to a couple of minutes) before the resources are available across all data centers. The AGNTCY Identity Service automatically handles this with built-in retry mechanisms.
120
+
121
+
For more information, see the [Microsoft documentation on 404 errors](https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/404-not-found-error-manage-objects-microsoft-graph).
122
+
:::
123
+
124
+
### Identity Provider Connection Steps
125
+
126
+
Follow these steps to configure and register your Identity Provider:
127
+
128
+
1.**Select Identity Provider:**
129
+
130
+
- On the "Identity Provider Connection" page, you will be presented with a selection of supported Identity Providers.
131
+
- Carefully choose the provider you intend to integrate:
132
+
-**Microsoft Entra ID** (for Microsoft Azure Active Directory integration)
133
+
-**Critical Note:** The selection of an Identity Provider is a **one-time** action. Once saved, this choice cannot be modified later. Ensure you select the correct provider before proceeding.
134
+
135
+
2.**Enter Provider Details:**
136
+
137
+
After selecting Microsoft Entra ID, the "Provider details" section will become active. Enter the values you gathered from the Prerequisites section:
138
+
139
+
-**Tenant ID:** Your Azure AD Tenant ID (Directory ID)
140
+
-_Example:_`12345678-1234-1234-1234-123456789abc`
141
+
-**Client ID:** Your Application ID from the app registration
142
+
-_Example:_`abcdef12-3456-7890-abcd-ef1234567890`
143
+
-**Client Secret:** The client secret value you created (will be masked for security)
144
+
145
+

146
+
147
+
3.**Save Configuration:**
148
+
- Click the **Save** button to register your Microsoft Entra ID provider.
149
+
- Upon successful saving, AGNTCY Identity Service will verify the connection and register the provider.
150
+
- Click **Cancel** to discard changes if needed.
151
+
152
+

153
+
154
+
The AGNTCY Identity Service will use this app registration to dynamically create and manage OAuth client credentials for your agentic services. Each agentic service will receive its own dedicated app registration with isolated credentials, following the principle of least privilege.
155
+
76
156
## Connecting Okta as an Identity Provider
77
157
78
158
This guide specifically details the process for configuring Okta as an Identity Provider.
@@ -243,72 +323,3 @@ When creating your worker application in PingOne, ensure the following:
243
323
4.**Token Endpoint Authentication Method:** Use "Client Secret Basic" or "Client Secret Post"
244
324
245
325
The AGNTCY Identity Service will use this worker application to create and manage OAuth client credentials for your agentic services automatically.
246
-
247
-
## Connecting Microsoft Entra ID as an Identity Provider
248
-
249
-
This guide specifically details the process for configuring [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) (formerly Azure Active Directory) as an Identity Provider.
250
-
251
-
### Prerequisites
252
-
253
-
Before you begin the Identity Provider connection process, ensure you have the following:
254
-
255
-
-**Access to AGNTCY Identity Service:** You must have an administrator role or sufficient permissions within the AGNTCY Identity Service application to access the Settings and connect Identity Providers.
256
-
-**Microsoft Azure Account:** An active [Microsoft Azure](https://portal.azure.com/) account with access to Microsoft Entra ID (formerly Azure Active Directory).
257
-
-**App Registration Details:** You must have an application registered in Microsoft Entra ID. From this app registration, you will need to retrieve:
258
-
- Your **Tenant ID** (also known as Directory ID)
259
-
- The **Client ID** (also known as Application ID)
260
-
- A **Client Secret** (application secret value) - see [how to add credentials](https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-credentials?tabs=client-secret)
261
-
262
-
:::tip[NOTE]
263
-
You can follow the [Microsoft Entra ID App Registration documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) for detailed instructions on how to register and configure applications within Microsoft Entra ID.
264
-
265
-
The application requires Microsoft Graph API permissions with administrative consent to manage other applications and service principals. Specifically, you need the [`Application.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#applicationreadwriteall) permission granted as an application permission (not delegated).
266
-
:::
267
-
268
-
:::warning[Important: Replication Delay]
269
-
Microsoft Entra ID uses a globally distributed architecture. After creating applications or service principals, there may be a brief replication delay (typically seconds to a couple of minutes) before the resources are available across all data centers. The AGNTCY Identity Service automatically handles this with built-in retry mechanisms.
270
-
271
-
For more information, see the [Microsoft documentation on 404 errors](https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/404-not-found-error-manage-objects-microsoft-graph).
272
-
:::
273
-
274
-
### Identity Provider Connection Steps
275
-
276
-
Follow these steps to configure and register your Identity Provider:
277
-
278
-
1.**Select Identity Provider:**
279
-
280
-
- On the "Identity Provider Connection" page, you will be presented with a selection of supported Identity Providers.
281
-
- Carefully choose the provider you intend to integrate:
282
-
-**Microsoft Entra ID** (for Microsoft Azure Active Directory integration)
283
-
-**Critical Note:** The selection of an Identity Provider is a **one-time** action. Once saved, this choice cannot be modified later. Ensure you select the correct provider before proceeding.
284
-
285
-
2.**Enter Provider Details:**
286
-
287
-
- After selecting your desired Identity Provider (Microsoft Entra ID), the "Provider details" section will become active, prompting you for specific configuration parameters.
288
-
-**Tenant ID:** Enter the Tenant ID (Directory ID) from your Microsoft Entra ID. This uniquely identifies your Azure AD tenant and can be found in the Azure Portal under Microsoft Entra ID > Overview.
289
-
-_Example:_`12345678-1234-1234-1234-123456789abc`
290
-
-**Client ID:** Input the Client ID (Application ID) from your app registration. This uniquely identifies your application within Microsoft Entra ID.
291
-
-_Example:_`abcdef12-3456-7890-abcd-ef1234567890`
292
-
-**Client Secret:** Provide the Client Secret value from your app registration. This is a sensitive credential used for authenticating API requests. For security purposes, the input in this field will be masked (displayed as asterisks).
293
-
- Note: Client secrets have an expiration date. Ensure you track the expiration and rotate the secret before it expires.
294
-
295
-

296
-
297
-
3.**Save Configuration:**
298
-
- Once all required details (Tenant ID, Client ID, and Client Secret) have been accurately entered, click the **Save** button.
299
-
- Upon successful saving, your Microsoft Entra ID provider will be registered and configured within AGNTCY Identity Service.
300
-
- If you need to discard the entered information and cancel the creation process, click the **Cancel** button.
301
-
302
-

303
-
304
-
### Microsoft Entra ID Application Configuration
305
-
306
-
When creating your app registration in Microsoft Entra ID, ensure the following:
307
-
308
-
1.**Application Type:** Register as a "Web" application (though any type supporting client credentials will work)
309
-
2.**Authentication:** Configure for OAuth 2.0 client credentials flow
310
-
3.**API Permissions:** Grant the Microsoft Graph API [`Application.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#applicationreadwriteall) permission as an Application permission (not Delegated), with admin consent. This allows the AGNTCY Identity Service to create and manage application registrations and service principals on your behalf.
311
-
4.**Client Secret:** Create a client secret and securely store the value (it will only be shown once). Follow the [Microsoft documentation on adding credentials](https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-credentials?tabs=client-secret) for step-by-step instructions.
312
-
5.**Admin Consent:** Ensure an administrator has granted consent for the API permissions
313
-
314
-
The AGNTCY Identity Service will use this app registration to dynamically create and manage OAuth client credentials for your agentic services. Each agentic service will receive its own dedicated app registration with isolated credentials, following the principle of least privilege.
0 commit comments