SSO - Microsoft Entra ID

SecDim offers SSO (Single Sign-On) integration with Microsoft Entra ID via OpenID Connect (OIDC). This allows users to log in to the SecDim platform using their existing Entra ID (Azure AD) credentials. This guide walks you through the setup steps your Entra ID administrator needs to complete.

What SecDim needs from you

Before SecDim can activate SSO for your organisation, collect the following from your Entra ID setup and send them to your SecDim account manager.

Value Description

Client ID

Application (client) ID from your app registration

Client Secret

OAuth2 client secret — send via a one-time secret tool, not email

Primary email domain

e.g. acme.com — the domain your users sign in with

SecDim will provide you with a provider name and your SSO login URL in the format https://id.secdim.com?auth=<provider>&origin=play once configuration is complete.

Step 1 — Register an App in Entra ID

  1. Go to Microsoft Entra admin centerIdentityApplicationsApp registrations

  2. Click New registration

  3. Fill in:

    • Name: SecDim SSO (or similar)

    • Supported account types: Accounts in this organizational directory only (Single tenant)

    • Redirect URI: Select Web, enter:

      https://id.secdim.com/account/login/sso/<provider>/callback

      SecDim will give you the exact <provider> slug.

  4. Click Register

  5. Copy the Application (client) ID and Directory (tenant) ID from the Overview page

Step 2 — Create a Client Secret

  1. Go to Certificates & secretsClient secretsNew client secret

  2. Set a description (e.g. SecDim) and expiry — 12 or 24 months recommended

  3. Click Add and immediately copy the Value — it will not be shown again

  4. Send this to your SecDim account manager securely (not by email)

Calendar a secret renewal reminder before expiry — when the secret expires, SSO logins will fail.

Step 3 — Configure Token Claims

SecDim requires the following claims in the ID token. These map to standard OIDC scopes (openid profile email), which Entra ID supports by default.

Claim Description

sub

Unique user identifier (used by SecDim to identify the user)

email

User’s email address

given_name

First name

family_name

Last name

To verify or add them:

  1. Go to Token configurationAdd optional claimToken type: ID

  2. Add: email, given_name, family_name

  3. If prompted to enable the Microsoft Graph email and profile permissions, accept

Step 4 — (Optional) Automatic Department Assignment

If you want users to be automatically assigned to departments within SecDim on first login, you’ll need to expose a custom department claim from Entra ID.

  1. Go to App registrationsSecDim SSOToken configuration

  2. Add a custom claim (or use an extension attribute) that returns the user’s department — e.g. department

  3. Let your SecDim account manager know the exact claim name so they can configure the mapping on the SecDim side

SecDim will update the SSO configuration to include this claim in the scope and map it to departments automatically on registration.

Step 5 — Assign Users or Groups

  1. Go to Enterprise applicationsSecDim SSOUsers and groups

  2. Assign the users or security groups who should have access

  3. Users not assigned here will be blocked from logging in via SSO

Step 6 — Discovery Endpoint

Entra ID’s OIDC discovery endpoint follows this format — SecDim will use this to auto-configure the authorisation, token, and userinfo endpoints:

https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration

Provide your Tenant ID to your SecDim account manager so this can be set correctly.

Step 7 — Test

Once SecDim confirms the configuration is active:

  1. Open https://id.secdim.com?auth=<provider>&origin=play in a private browser window

  2. You will be redirected to Microsoft to authenticate

  3. Sign in with an Entra ID account assigned in Step 5

  4. Confirm you land in SecDim associated with the correct company subscription

Summary — what to send SecDim

Value Where to find it

Client ID

App registration → Overview → Application (client) ID

Tenant ID

App registration → Overview → Directory (tenant) ID

Client Secret

Step 2 (send securely)

Primary email domain

e.g. acme.com

Department claim name

Optional — only if using auto department assignment

See Also