Before you begin
There are two prerequisites to complete before configuring the Identity Provider in
ExtremeCloud
Universal ZTNA.
- Create ClientID,
Client
Secret, and Discovery URL
in Azure under App
Registration. Save a copy of each to use in this procedure.
- Your organization's AD-synced
users must have administrative privileges in Azure so Microsoft can
authorize the user during log in. To set the permission, navigate to
.
About this task
Follow this procedure to configure a Microsoft Entra ID - OpenID Connect Identity
Provider.
Procedure
-
Select Onboarding.
The welcome window
displays.
-
Select Secure Hybrid
Access [Secure Application
Access or Secure Network
Access].
-
On the Identity Provider
window, select Microsoft Entra ID
-
Select Continue.
The Identity Provider
window displays.
-
Enter Client ID.
-
Enter Client
Secret.
-
Enter Tenant ID.
![Note](images/note.png)
Note
Redirect URLs are on the IdP set up page on the
UI. You can copy and update redirect URLs in Azure. In
Azure, specify the following URLs under the URI section. These URLs redirect
the user to the
portal after a successful authorization
by Microsoft during log-in and sign-up.
- https://server
URL/auth/api/v1/accounts/microsoft/login/callback/
- https://server
URL/auth/api/v1/accounts/invite/microsoft/signup/callback/
-
(Optional) Select
Secure Network
Access if you want to allow Multi-Factor Authentication (MFA)
enabled users to authenticate with ExtremeCloud
Universal ZTNAservers.
If the Secure Network Access check box is checked, the
administrator must create a separate Entra ID Application in Azure and provide
the Client ID, Client Secret and Tenant ID.
-
(Optional) To provision
users and user groups in Azure and then sync them with Universal ZTNA, follow these steps:
-
Follow the Setup
Guidelines instructions.
![Note](images/note.png)
Note
AD Syncing automatically updates Azure users and user groups and
UZTNA users and user groups when users are removed or added.
-
Select Sync AD Users and
User Groups.
Confirm AD
Syncing
pop-up window displays.
This message cautions the user that they can no longer change the IdP
settings if they proceed with syncing.
-
(Optional) Select
Send
Invitations to synced users automatically.
-
Select Confirm.
-
(Optional) Select All
Domains or Custom and enter the domain.
If you select Custom, fill in the approved domains. Applicable
for network and application access.
-
Select Validate
Information.
A message in the upper
right corner confirms the validation test passed.
-
Select Update.
Update Identity
Provider
pop-up window displays. This message cautions you that the
Identity Provider change logs out current workspace users.
-
If you decide to continue,
select Confirm.
-
Select Next.
The Onboarding - Access
Groups window displays.
-
Configure Access Groups.
-
Configure Resources.
-
Configure Applications and Application Groups.
You can skip this step if you
are using Secure Network Access.
-
Configure Policies.
Results
Your onboarding is complete. Your users, applications, and devices can now access the
network securely.