Connecting your identity provider to Confidencial
This document shows you how to connect to your identity provider, allowing your enterprise’s users to log in to Confidencial using their existing accounts.
The details of how to connect to your identity provider (IDP) vary depending on the IDP being connected, but in most cases, the process amounts to creating an application within your IDP and then assigning users to that application. See the links below for how to connect to your IDP.
Creating an application in OktaCreating Confidencial roles for Okta usersFor each role you would like to define in Confidencial:Creating the Okta authorization server for ConfidencialAssigning users to an application in OktaCreating an application in Microsoft Entra ID (formerly Azure Active Directory)Assigning users to an application in Entra IDConfiguring user and group synchronization with SCIM in Entra ID
Creating an application in Okta
- Log in to your Okta instance’s admin portal
- Click Applications under the Applications item in the side menu
- Click the Create App Integration button
- Select OIDC - OpenID Connect and Web Application for Sign-in method and Application type, respectively; click Next
- Ensure the following settings are entered:
- App integration name:
Confidencial
- Grant type: Authorization Code (the only option that should be selected)
- Sign-in redirect URIs:
https://auth.confidencial.io/login/callback
- Sign-out redirect URIs:
https://my.confidencial.io
Redirect URIs will be different than those listed above for sandbox deployments. Your Confidencial technical contact will provide these URIs in these cases.
- For Controlled access, select either “Allow everyone in your organization to access” or “Limit access to selected groups,” depending on who you want to be able to log in to Confidencial.
- If you selected “Allow everyone…,” leave “Enable immediate access with Federation Broker Mode” selected if you want everyone in your organization to be able to access Confidencial. Deselect “Enable immediate access with Federation Broker Mode” if you want to specify the users and groups that can access Confidencial.
- If you selected “Limit access…,” enter the group(s) you’d like to access Confidencial under Selected group(s).
- Click Save
This completes creation of the Okta application and generates a Client Secret that must be securely transmitted to Confidencial during account set up (along with the Okta Domain and Client ID).
Proceed to the next section, Creating Confidencial roles for Okta users
Creating Confidencial roles for Okta users
These steps allow you to define Confidencial “roles” that allow you to grant various administrator permissions to your users by using Okta groups. The Confidencial permissions granted are determined by the description fields of the Okta groups to which each user belongs.
For each role you would like to define in Confidencial:
- Click Groups under the Directory item in the side menu
- Click Add Group
- In the Name field, enter a name for the role (Okta group). In this example, we create a role called
C11-Admins
.
- In the Description field, enter the Confidencial permissions you would like to grant to members of this role
crud:members-org
: Allows an administrator to create, read, update, and deactivate all members in an organizationcrud:invitations-org
: Allows an administrator to create, read, and delete invitations for an organizationcrud:recovery-keys-org
: Allows an administrator to create, read, and deactivate recovery keys that are used by an organizationread:events-org
: Allows an administrator to see all Confidencial usage data within an organizationcrud:encryption-keys-org
: Allows an administrator to create and update (replace) public and private encryption key pairs for all members in an organizationcrud:signature-keys-org
: Allows an administrator to create and update (replace) electronic signature keys from all members in an organizationcrud:groups-org
: Allows an administrator to create, read, update, and delete groups within an organizationcrud:groups-scim-tokens-org
: Allows an administrator to create, read, update (replace), and delete tokens that are used by the enterprise’s identity provider to make calls to the SCIM endpoints of The Confidencial Private Key Server
For a Confidencial user to be able to exercise any of the permissions described below, they must be designated as an administrator within the Confidencial system
- Click Save
- With the Okta group created, take note of the Okta group ID; this will be needed in the next section, Create the Okta authorization server for Confidencial
- To get the group ID of the group you created, go to the group in Okta and note the last part of the URL
- In the example above, the group ID is
00g9372cmsozlGYI25d7
- Add the users to the group to which you would like to assign these permissions
Repeat Steps 1-7 above for each role you would like to define in the Confidencial system. You can create up to 100 roles for Confidencial users, roles can contain any combination of permissions, and users can belong to any combination of roles.
Proceed to the next section, Creating the Okta authorization server for Confidencial
Creating the Okta authorization server for Confidencial
- Click API under the Security item in the side menu
- Click Add Authorization Server
- For Name, enter
Confidencial
and for Audience enterapi://confidencial.io
- Click the Scopes tab, then click Add Scope
- Enter the following values:
- Name:
groups
- Display phrase:
groups
- Description:
Allows group membership to be passed in token
- Use default values for the other fields, as shown below
- Click Access Policies, then click Add New Access Policy
- Enter the following values:
- Name:
Default
- Description:
Default
- Assign to: Add the Okta application you created in the previous section, Creating an application in Okta
- Add a rule to govern access to this authorization server, ensuring that “authorization code” is permitted; set access token and refresh token lifetimes as desired
- Click the Claims tab, then click Add Claim
- Enter the following values:
- Name:
permissions
- Value:
Arrays.flatten(getFilteredGroups({"group-id-1", "group-id-2", ... , "group-id-n"}, "Arrays.flatten(group.description)", 100))
- Replace
"group-id-1", "group-id-2", ... , "group-id-n"
in the above statement with the list of group IDs you created in the section above, Creating Confidencial roles for Okta users - Group IDs should be wrapped in double quotes (
”
) and separated by commas (,
), with the entire list of group IDs wrapped in curly braces ({ }
) - Use default values for the other fields, as shown below
- Click Create
Proceed to the next section, Assigning users to an application in Okta
Assigning users to an application in Okta
These steps are not necessary if you left “Enable immediate access with Federation Broker Mode” selected in Step 6 of Creating an application in Okta above.
- Click Applications under the Applications item in the side menu
- Click Confidencial in the list of applications
- Click the Assignments tab
- Click Assign to add users and groups that can log in to Confidencial
This completes the setup of Okta for use with Confidencial. You will now work with the Confidencial team to securely transmit application details.
Creating an application in Microsoft Entra ID (formerly Azure Active Directory)
- Log in to the Microsoft Azure portal
- Click Microsoft Entra ID
- Click App Registrations from the side menu
- Click New Registration from the top toolbar
- Ensure the following settings are entered:
- Name:
Confidencial
- Supported account types: Select either “Accounts in this organizational directory only,” “Accounts in any organizational directory,” or Accounts in any organization directory and personal Microsoft accounts,” depending on who you want to be able to join your Confidencial organization
- Redirect URI: Choose “Web” in the Select a platform drop down menu and enter
https://auth.confidencial.io/login/callback
in the input box
Most organizations will want to select “Accounts in this organizational directory only,” as users outside your organization can log in to Confidencial via their own organization account or via an individual account.
- Click Register
- Click Enterprise Applications from the side menu
- Click Confidencial in the list of applications
- Click Properties from the side menu
- If you want to specify the users that can log in to Confidencial, set Assignment required to “Yes,” otherwise, all users* will be able to log in to Confidencial
All users with a supported account type specified in Step 5.b above
This completes creation of the Entra ID application and generates a Client Secret that must be securely transmitted to Confidencial during account set up (along with the Entra Domain and Client ID).
Proceed to the next section, Assigning users to an application in Entra ID
Assigning users to an application in Entra ID
These steps are only necessary if you selected “Yes” for Assignment required in Step 10 above.
- From the Microsoft Entra ID home screen, click Enterprise Applications from the side menu
- Click Confidencial in the list of applications
- Click Users and groups from the side menu
- Click Add user/group to add users and groups that can log in to Confidencial
This completes the setup of Entra ID for use with Confidencial. You will now work with the Confidencial team to securely transmit application details.